Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 02:55
Behavioral task
behavioral1
Sample
532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll
Resource
win10v2004-20241007-en
General
-
Target
532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll
-
Size
1.2MB
-
MD5
6f25f0506bf49fe7f35686ed1f8fef4a
-
SHA1
e5596d4c2b924bc93755558e447d1a04d19efdfe
-
SHA256
532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203
-
SHA512
5d93f84c6d80430ee853e7ef20cce4235effc1ba49f860c358c16eaad1c762e74b67dd9aa4c7e1996b38da07c2c601ebdcaf8dba9d4b594c19b92db589ec18ae
-
SSDEEP
24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2456 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 2492 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1996 netsh.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2456 rundll32.exe 2492 powershell.exe 2492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2492 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1996 2456 rundll32.exe 83 PID 2456 wrote to memory of 1996 2456 rundll32.exe 83 PID 2456 wrote to memory of 2492 2456 rundll32.exe 85 PID 2456 wrote to memory of 2492 2456 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD536c67ec0a9ad650b8e0c0f80d11177ec
SHA1ca5714d78c62f1a7b3fc3fe99da49e64847484cb
SHA2563b648cee93734e0f7be0d3858a3109bf275d7fe52543a6409b4ae9fa0e46ff66
SHA512d824af534f1f07a274e37c573d8f83594b6b9d69e80950534afa1312b28ebc65a960c0405ba5ede8c5a9513cefb231b609d71aba40ec241af577d2907c6e2309
-
Filesize
18KB
MD5fd80231e47eda2148753be7caa821bbb
SHA100dbadaab2b4788c32e2e5bb251039ec172448bf
SHA2561cf25b42ebf7dd7d2149ed0a637ab4ca3dec4fd7d7dccd045aa1c97f0591eaa6
SHA512ad0a197a0cdeb37afa72ebb87d425680829e9af821b9ecda031d8b52c6d4e4863f3dd8e2056d83c334ddab12630a96d3d290eb7857181021883b936647f90581
-
Filesize
10KB
MD5742392c03406698ec77c9a16936e5363
SHA1ebfa964cf89848d40ef21549d4bfed7efa5b43dd
SHA2563acd2168b8a851b1fdd4f6640090f2a3fdeed8ffaffe3256c035d19fcf5819f7
SHA512d49032fab0efbc0b5a76e748089e9f12e103e33db1d8cb4bc91c8ee352d7f4207c1ad6b141fa46ecf6ebab68320f86c1a6bee41658ff9d0b6c70d184176e1529
-
Filesize
15KB
MD55d38fc77abbf3ed291d97db068ebae95
SHA1781e99affd9f8f0746c9de34825dacebfd0a966a
SHA256e3b6ecc2514e24ce2dd68feebaeb00a9d3e3d4c24779b72c132e8c530702d8db
SHA51231cf38f8960f62d2bf49a25b15b737df581a620ab60f5582099e6a3b67b9264555d7fdbb36fdaf9fb750be8d9b5915d435506bf382e294ca78032075c9103591
-
Filesize
13KB
MD5f476fd07a8a977060f93964e2104cc11
SHA17a8edcbe65de4318996cedb66f22159d6611ff37
SHA2564ae0e7db0ba08de070125ad265195c6d8795cb057e061e16af77d49e1f495b5d
SHA5122e8df89e01842385ce779a571a9d4079275bf6465a97ac5d5e1bfb825b6e7d71e52c60e240796627faffc31fa2d5d1da375b398afdd37e75ebbba3eefd83cdbd
-
Filesize
16KB
MD5bee930a7354714601938a8932dbc6f27
SHA10a8157b32e68997aa6f88cbf48ff1217bf84d20e
SHA256f9efc6828b9461ead81834076de8948a3399c7bc398babd315c03ecca03c31f6
SHA512487f9afd9a06d153d81c00812b685b07a233a7417653c59eff46f4dec3b124134b08c20fc14ac86e4ad494f9769326373d15df1611b86462fb82266ea4da8bf1
-
Filesize
11KB
MD5ca82c42fa0861e48a8d4d7a3b08d892f
SHA1f6a6c4bdee8b01a2fb4980424068457f0e54d3be
SHA256bb84e6b82e7d9f3c4117e9bb138f35150b3dfa5432be4935b294f6546f05f2bb
SHA512a93b968dc39158627edda3480df049dab38b9c3d92253dc2ddaa01cead873ddd1b38b66dc371a7ee27ec5c5d6233e35fde38cb0b48131314b822e3753f2d241f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82