Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2024, 02:55

General

  • Target

    532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll

  • Size

    1.2MB

  • MD5

    6f25f0506bf49fe7f35686ed1f8fef4a

  • SHA1

    e5596d4c2b924bc93755558e447d1a04d19efdfe

  • SHA256

    532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203

  • SHA512

    5d93f84c6d80430ee853e7ef20cce4235effc1ba49f860c358c16eaad1c762e74b67dd9aa4c7e1996b38da07c2c601ebdcaf8dba9d4b594c19b92db589ec18ae

  • SSDEEP

    24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip

    Filesize

    71KB

    MD5

    36c67ec0a9ad650b8e0c0f80d11177ec

    SHA1

    ca5714d78c62f1a7b3fc3fe99da49e64847484cb

    SHA256

    3b648cee93734e0f7be0d3858a3109bf275d7fe52543a6409b4ae9fa0e46ff66

    SHA512

    d824af534f1f07a274e37c573d8f83594b6b9d69e80950534afa1312b28ebc65a960c0405ba5ede8c5a9513cefb231b609d71aba40ec241af577d2907c6e2309

  • C:\Users\Admin\AppData\Local\Temp\_Files_\AssertInvoke.docx

    Filesize

    18KB

    MD5

    fd80231e47eda2148753be7caa821bbb

    SHA1

    00dbadaab2b4788c32e2e5bb251039ec172448bf

    SHA256

    1cf25b42ebf7dd7d2149ed0a637ab4ca3dec4fd7d7dccd045aa1c97f0591eaa6

    SHA512

    ad0a197a0cdeb37afa72ebb87d425680829e9af821b9ecda031d8b52c6d4e4863f3dd8e2056d83c334ddab12630a96d3d290eb7857181021883b936647f90581

  • C:\Users\Admin\AppData\Local\Temp\_Files_\DismountRead.xlsx

    Filesize

    10KB

    MD5

    742392c03406698ec77c9a16936e5363

    SHA1

    ebfa964cf89848d40ef21549d4bfed7efa5b43dd

    SHA256

    3acd2168b8a851b1fdd4f6640090f2a3fdeed8ffaffe3256c035d19fcf5819f7

    SHA512

    d49032fab0efbc0b5a76e748089e9f12e103e33db1d8cb4bc91c8ee352d7f4207c1ad6b141fa46ecf6ebab68320f86c1a6bee41658ff9d0b6c70d184176e1529

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ImportHide.docx

    Filesize

    15KB

    MD5

    5d38fc77abbf3ed291d97db068ebae95

    SHA1

    781e99affd9f8f0746c9de34825dacebfd0a966a

    SHA256

    e3b6ecc2514e24ce2dd68feebaeb00a9d3e3d4c24779b72c132e8c530702d8db

    SHA512

    31cf38f8960f62d2bf49a25b15b737df581a620ab60f5582099e6a3b67b9264555d7fdbb36fdaf9fb750be8d9b5915d435506bf382e294ca78032075c9103591

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ImportSearch.xlsx

    Filesize

    13KB

    MD5

    f476fd07a8a977060f93964e2104cc11

    SHA1

    7a8edcbe65de4318996cedb66f22159d6611ff37

    SHA256

    4ae0e7db0ba08de070125ad265195c6d8795cb057e061e16af77d49e1f495b5d

    SHA512

    2e8df89e01842385ce779a571a9d4079275bf6465a97ac5d5e1bfb825b6e7d71e52c60e240796627faffc31fa2d5d1da375b398afdd37e75ebbba3eefd83cdbd

  • C:\Users\Admin\AppData\Local\Temp\_Files_\LockExpand.docx

    Filesize

    16KB

    MD5

    bee930a7354714601938a8932dbc6f27

    SHA1

    0a8157b32e68997aa6f88cbf48ff1217bf84d20e

    SHA256

    f9efc6828b9461ead81834076de8948a3399c7bc398babd315c03ecca03c31f6

    SHA512

    487f9afd9a06d153d81c00812b685b07a233a7417653c59eff46f4dec3b124134b08c20fc14ac86e4ad494f9769326373d15df1611b86462fb82266ea4da8bf1

  • C:\Users\Admin\AppData\Local\Temp\_Files_\UndoRevoke.xlsx

    Filesize

    11KB

    MD5

    ca82c42fa0861e48a8d4d7a3b08d892f

    SHA1

    f6a6c4bdee8b01a2fb4980424068457f0e54d3be

    SHA256

    bb84e6b82e7d9f3c4117e9bb138f35150b3dfa5432be4935b294f6546f05f2bb

    SHA512

    a93b968dc39158627edda3480df049dab38b9c3d92253dc2ddaa01cead873ddd1b38b66dc371a7ee27ec5c5d6233e35fde38cb0b48131314b822e3753f2d241f

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqaewkoa.m1i.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2492-17-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-20-0x000002574CCD0000-0x000002574CCDA000-memory.dmp

    Filesize

    40KB

  • memory/2492-19-0x000002574D070000-0x000002574D082000-memory.dmp

    Filesize

    72KB

  • memory/2492-18-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-6-0x00007FFBAD003000-0x00007FFBAD005000-memory.dmp

    Filesize

    8KB

  • memory/2492-30-0x00007FFBAD000000-0x00007FFBADAC1000-memory.dmp

    Filesize

    10.8MB

  • memory/2492-7-0x000002574CCE0000-0x000002574CD02000-memory.dmp

    Filesize

    136KB