Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f47144c715...dd.dll

windows7-x64

10

f47144c715...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    30/11/2024, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd.dll

  • Size

    129KB

  • MD5

    80cd37d9eb33507bf054f32ce2380b09

  • SHA1

    6e8d57dde537ace0639931569ae2b04b9cb99a26

  • SHA256

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd

  • SHA512

    18f42496c4a66f11aa834e1db7f727ea7041882408a83be00f5ddacfbca439debe611f24eadd19e9453bc774d91d33d98ac25290791d501af2e706dc9ef89bde

  • SSDEEP

    3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv

Score
10/10
warmcookiebackdoordiscovery

Malware Config

Extracted

Family

warmcookie

C2

185.161.251.26

Attributes
  • mutex

    5bba9e40-0e32-4b7f-b39a-667bbc0c2293

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

  • Warmcookie family
    warmcookie
  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Blocklisted process makes network request 16 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 25 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd.dll
    1⤵
    • Drops file in Windows directory
    PID:2080
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {48AAEF50-B2AA-4311-AB92-A72B80ECB9D9} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Ventuso LLC\Updater.dll
    Filesize

    129KB

    MD5

    80cd37d9eb33507bf054f32ce2380b09

    SHA1

    6e8d57dde537ace0639931569ae2b04b9cb99a26

    SHA256

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd

    SHA512

    18f42496c4a66f11aa834e1db7f727ea7041882408a83be00f5ddacfbca439debe611f24eadd19e9453bc774d91d33d98ac25290791d501af2e706dc9ef89bde

    Download Submit