Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 02:59
Behavioral task
behavioral1
Sample
646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf.dll
Resource
win10v2004-20241007-en
General
-
Target
646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf.dll
-
Size
1.0MB
-
MD5
89cb9bdb4c8e64b9bfe35de70d1a1b2e
-
SHA1
4f69609a7d3f56373a0c0241e9cc4accf9075fc4
-
SHA256
646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf
-
SHA512
caf926b756482ba8ea75613d6a51576fb085f0b6844afab2939ddb5b6356f84b6f2721f1982c5d29ae66d2ca5aa4a9ea62b8a8174f185fb94293ab1d97ab4438
-
SSDEEP
24576:YNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgay3h:YNFxogmf2scG1Tzc3h
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1748 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 1784 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1512 netsh.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1784 powershell.exe 1784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1784 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 432 wrote to memory of 1748 432 rundll32.exe 83 PID 432 wrote to memory of 1748 432 rundll32.exe 83 PID 432 wrote to memory of 1748 432 rundll32.exe 83 PID 1748 wrote to memory of 1512 1748 rundll32.exe 84 PID 1748 wrote to memory of 1512 1748 rundll32.exe 84 PID 1748 wrote to memory of 1512 1748 rundll32.exe 84 PID 1748 wrote to memory of 1784 1748 rundll32.exe 86 PID 1748 wrote to memory of 1784 1748 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\646ec8d518fbd50186a693b5ea82d1d32c4835b1525393c91e49c6529b48bfcf.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\350944739639_Desktop.zip' -CompressionLevel Optimal3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5d35471d1547a00e419c19ebd426e3e2b
SHA1beba8a4de3d0227c898fb97f75428f8abb4b9d90
SHA25606faa4d7735453f49224739b00dfcd7cb0e5c72d4837000e95d588f0f353b5d1
SHA5125ce5fa053b3535035994a58dfe5a3ad342acc7ef4d9201f343ddc23f3e1971aac1085065608fa1623ad5d2eac716c04217362a6066e407eb17953fd56ac99a41
-
Filesize
10KB
MD5a4c921859e26c1f01e57fac1fddf7d7b
SHA15b4e00246e4ccafabe15e89d1142eff6ec5c689f
SHA256bdda9bb30712b2550484f2cef3902f1a1b3ed3520f5f93efadb0c3c4d2dc2965
SHA5126dc6a05af7d8dfba0741ab350f31af467944892ce4007d1aab78cd64c681d031313f9ed831ee0c89d6863ceaeccd1383b8f804003ccc2e7aa10a1eafb316da28
-
Filesize
11KB
MD5da562b78126c2b39fab8444b2c21255e
SHA14e0b0a150992ac1f542378e34a6acbd2e0da334d
SHA25691bf74f64e7a61aff130eff7ff4fb0e40803009475d758f5349dc2de0115623d
SHA5120769cc9f15a8047d55e01eeb5f0251cbfade9bf47107b9c760a724f3cbdb7e932a323df9aef060948de6bcd6eada77d10b2697524499a7865ea62fabdc26b57d
-
Filesize
17KB
MD5ff2c12ebbeca23e801d42aa59c364c96
SHA11f60a6713a7f7fd0e294316df2415726b131db8d
SHA256fbf8b45e67e4ab15ce97e031dbce1c0eb9fa80fb2c34d1c44a32f948b90ddaf3
SHA51234aea7d8c1ef599e2c35c522bbf6ba5aaf324c2e586f9cd2d55c99b9a8821141d8cfe683fe31404bc7a022bea0bc33abb4e68f286c02d1f957fffdd4ddec6583
-
Filesize
10KB
MD5b8e0e2e068ce7a25b9d94bfb7c64fda2
SHA16816e3049a752db8d11553877d59659d07c3d8b2
SHA2560cfed7043d842d7f5630e7e3aea6c3e677614b36e681fb7597550dbe7b31beca
SHA5121a319eaff5935a528a60be34a8ad81527c8a04597b212f665c9bed285792ad611c5c43229a088439424671f593f30ab54955803f83404893093d6f462acd0591
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82