Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1199s -
max time network
1200s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 13:52
Behavioral task
behavioral1
Sample
Updater.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Updater.dll
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
launcher.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
launcher.bat
Resource
win11-20241007-en
windows11-21h2-x64
General
-
Target
Updater.dll
-
Size
129KB
-
MD5
e08edc1510052adc297d6af47022a70b
-
SHA1
f08af6d4a2f9655beb8219aca5711400efed8670
-
SHA256
915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2
-
SHA512
2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652
-
SSDEEP
3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
Malware Config
Extracted
warmcookie
-
mutex
65abfc80-a660-4691-a919-130dc9b75b98
Signatures
-
Warmcookie family
-
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
-
Blocklisted process makes network request 64 IoCs
flow pid Process 36 4492 rundll32.exe 37 4492 rundll32.exe 38 4492 rundll32.exe 40 4492 rundll32.exe 41 4492 rundll32.exe 42 4492 rundll32.exe 43 4492 rundll32.exe 44 4492 rundll32.exe 45 4492 rundll32.exe 46 4492 rundll32.exe 47 4492 rundll32.exe 48 4492 rundll32.exe 52 4492 rundll32.exe 53 4492 rundll32.exe 54 4492 rundll32.exe 55 4492 rundll32.exe 56 4492 rundll32.exe 57 4492 rundll32.exe 58 4492 rundll32.exe 59 4492 rundll32.exe 60 4492 rundll32.exe 61 4492 rundll32.exe 62 4492 rundll32.exe 63 4492 rundll32.exe 70 4492 rundll32.exe 71 4492 rundll32.exe 72 4492 rundll32.exe 73 4492 rundll32.exe 74 4492 rundll32.exe 75 4492 rundll32.exe 76 4492 rundll32.exe 77 4492 rundll32.exe 78 4492 rundll32.exe 79 4492 rundll32.exe 80 4492 rundll32.exe 81 4492 rundll32.exe 82 4492 rundll32.exe 83 4492 rundll32.exe 84 4492 rundll32.exe 85 4492 rundll32.exe 86 4492 rundll32.exe 87 4492 rundll32.exe 88 4492 rundll32.exe 89 4492 rundll32.exe 90 4492 rundll32.exe 91 4492 rundll32.exe 92 4492 rundll32.exe 93 4492 rundll32.exe 94 4492 rundll32.exe 95 4492 rundll32.exe 96 4492 rundll32.exe 97 4492 rundll32.exe 98 4492 rundll32.exe 99 4492 rundll32.exe 100 4492 rundll32.exe 101 4492 rundll32.exe 102 4492 rundll32.exe 103 4492 rundll32.exe 104 4492 rundll32.exe 105 4492 rundll32.exe 106 4492 rundll32.exe 107 4492 rundll32.exe 108 4492 rundll32.exe 109 4492 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4492 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Tivix.job regsvr32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Updater.dll1⤵
- Drops file in Windows directory
PID:4188
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\Tivix\Updater.dll",Start /u1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5e08edc1510052adc297d6af47022a70b
SHA1f08af6d4a2f9655beb8219aca5711400efed8670
SHA256915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2
SHA5122b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652