Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f47144c715...dd.dll

windows7-x64

10

f47144c715...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    30/11/2024, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd.dll

  • Size

    129KB

  • MD5

    80cd37d9eb33507bf054f32ce2380b09

  • SHA1

    6e8d57dde537ace0639931569ae2b04b9cb99a26

  • SHA256

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd

  • SHA512

    18f42496c4a66f11aa834e1db7f727ea7041882408a83be00f5ddacfbca439debe611f24eadd19e9453bc774d91d33d98ac25290791d501af2e706dc9ef89bde

  • SSDEEP

    3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv

Score
10/10
warmcookiebackdoor

Malware Config

Extracted

Family

warmcookie

C2

185.161.251.26

Attributes
  • mutex

    5bba9e40-0e32-4b7f-b39a-667bbc0c2293

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Signatures

  • Warmcookie family
    warmcookie
  • Warmcookie, Badspace

    Warmcookie aka Badspace is a backdoor written in C++.

    backdoorwarmcookie
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd.dll
    1⤵
    • Drops file in Windows directory
    PID:2844
  • C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\ProgramData\Tandem\Updater.dll",Start /u
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Tandem\Updater.dll
    Filesize

    129KB

    MD5

    80cd37d9eb33507bf054f32ce2380b09

    SHA1

    6e8d57dde537ace0639931569ae2b04b9cb99a26

    SHA256

    f47144c7159be31d8116fdc36b66cb72c917cd91a4bbe9eaa55dec929c1cffdd

    SHA512

    18f42496c4a66f11aa834e1db7f727ea7041882408a83be00f5ddacfbca439debe611f24eadd19e9453bc774d91d33d98ac25290791d501af2e706dc9ef89bde

    Download Submit