Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 23:43 UTC

General

  • Target

    $PLUGINSDIR/rrkssezi.dll

  • Size

    20KB

  • MD5

    0b9de97b386a1a82cee5d3e059b7ec9b

  • SHA1

    cc730fba70941afa39a9827fea215c9f099a6d01

  • SHA256

    ad29dd53baa1e19fe4cacd99b9dea3b6e7fba8c6d89fe0492244de4414948e21

  • SHA512

    b36cef8eb5fdf990ed79fd718a250e6f736e585516b4cfc97b7a0aba6f254e8997d8cf0262b0f4a894dc91e13c2b22aaa1eac554c2e23c42e50e8bc2fae3ad3d

  • SSDEEP

    384:cYwn4GqWlh1i9E8LB2T35YjzYDYp0fRBtsoudoq0HNyp:7wnskhU6tTuYkpoudohy

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\rrkssezi.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\rrkssezi.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\rrkssezi.dll,#1
        3⤵
          PID:2212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 728
          3⤵
          • Program crash
          PID:1360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2244 -ip 2244
      1⤵
        PID:2524

      Network

      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        180.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        180.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        53.210.109.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        53.210.109.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        81.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        81.144.22.2.in-addr.arpa
        IN PTR
        Response
        81.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-81deploystaticakamaitechnologiescom
      No results found
      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        180.129.81.91.in-addr.arpa
        dns
        72 B
        147 B
        1
        1

        DNS Request

        180.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        140.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        140.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        53.210.109.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        53.210.109.20.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        22.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        22.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        81.144.22.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        81.144.22.2.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2244-0-0x00000000022A0000-0x00000000022A2000-memory.dmp

        Filesize

        8KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.