Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 14:13 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3c3591eb1df1f5f60cc846685303fb58.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3c3591eb1df1f5f60cc846685303fb58.dll
Resource
win10v2004-20241007-en
General
-
Target
3c3591eb1df1f5f60cc846685303fb58.dll
-
Size
5.0MB
-
MD5
3c3591eb1df1f5f60cc846685303fb58
-
SHA1
d0c3fd09e35ca27aa28099dd5c28f2f0b3f28e2b
-
SHA256
92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90
-
SHA512
f23a38cd00a83bb35a707fd821fd7dd3b706c77fe36b1e03819c0a1cf61424b54163aae0741b7ae6cd14f8a0399c34738500eca897390baa04c102525099eaea
-
SSDEEP
49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3345) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 768 mssecsvc.exe 2556 mssecsvc.exe 3044 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4648 wrote to memory of 1052 4648 rundll32.exe 82 PID 4648 wrote to memory of 1052 4648 rundll32.exe 82 PID 4648 wrote to memory of 1052 4648 rundll32.exe 82 PID 1052 wrote to memory of 768 1052 rundll32.exe 83 PID 1052 wrote to memory of 768 1052 rundll32.exe 83 PID 1052 wrote to memory of 768 1052 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c3591eb1df1f5f60cc846685303fb58.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c3591eb1df1f5f60cc846685303fb58.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:768 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3044
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Request8.153.16.2.in-addr.arpaIN PTRResponse8.153.16.2.in-addr.arpaIN PTRa2-16-153-8deploystaticakamaitechnologiescom
-
Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Request146.230.160.34.in-addr.arpaIN PTRResponse146.230.160.34.in-addr.arpaIN PTR14623016034bcgoogleusercontentcom
-
Request1.230.160.34.in-addr.arpaIN PTRResponse1.230.160.34.in-addr.arpaIN PTR123016034bcgoogleusercontentcom
-
Request3.230.160.34.in-addr.arpaIN PTRResponse3.230.160.34.in-addr.arpaIN PTR323016034bcgoogleusercontentcom
-
Request4.230.160.34.in-addr.arpaIN PTRResponse4.230.160.34.in-addr.arpaIN PTR423016034bcgoogleusercontentcom
-
Request199.147.36.34.in-addr.arpaIN PTRResponse199.147.36.34.in-addr.arpaIN PTR1991473634bcgoogleusercontentcom
-
Request6.230.160.34.in-addr.arpaIN PTRResponse6.230.160.34.in-addr.arpaIN PTR623016034bcgoogleusercontentcom
-
Request4.147.36.34.in-addr.arpaIN PTRResponse4.147.36.34.in-addr.arpaIN PTR41473634bcgoogleusercontentcom
-
Request1.121.84.89.in-addr.arpaIN PTRResponse1.121.84.89.in-addr.arpaIN PTRram31-h03-89-84-121-1dslstaabobboxfr
-
Request8.230.160.34.in-addr.arpaIN PTRResponse8.230.160.34.in-addr.arpaIN PTR823016034bcgoogleusercontentcom
-
Request201.121.84.89.in-addr.arpaIN PTRResponse201.121.84.89.in-addr.arpaIN PTRram31-h03-89-84-121-201dslstaabobboxfr
-
Request10.230.160.34.in-addr.arpaIN PTRResponse10.230.160.34.in-addr.arpaIN PTR1023016034bcgoogleusercontentcom
-
Request8.147.36.34.in-addr.arpaIN PTRResponse8.147.36.34.in-addr.arpaIN PTR81473634bcgoogleusercontentcom
-
Request12.230.160.34.in-addr.arpaIN PTRResponse12.230.160.34.in-addr.arpaIN PTR1223016034bcgoogleusercontentcom
-
Request2.121.84.89.in-addr.arpaIN PTRResponse2.121.84.89.in-addr.arpaIN PTRram31-h03-89-84-121-2dslstaabobboxfr
-
Request13.147.36.34.in-addr.arpaIN PTRResponse13.147.36.34.in-addr.arpaIN PTR131473634bcgoogleusercontentcom
-
Request15.230.160.34.in-addr.arpaIN PTRResponse15.230.160.34.in-addr.arpaIN PTR1523016034bcgoogleusercontentcom
-
104 B 2
-
52 B 1
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
-
-
-
-
-
-
-
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
-
104 B 80 B 2 2
-
-
52 B 1
-
52 B 1
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
52 B 1
-
-
-
104 B 2
-
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 80 B 2 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
104 B 2
-
-
52 B 1
-
104 B 80 B 2 2
-
-
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
-
104 B 2
-
-
-
-
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
104 B 2
-
-
-
-
104 B 2
-
104 B 2
-
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
52 B 1
-
-
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
52 B 1
-
-
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
52 B 1
-
104 B 2
-
-
52 B 1
-
-
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
104 B 2
-
-
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
-
104 B 2
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
-
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d21d12114f36cb9cd7af57659151d441
SHA193f5ea70785b7acf9127ee2dc9ab3a87b6d5d39a
SHA25664ed73629dfaec5db575cfd5e55aaff90c081fe6901384f8ea443e158b75bacc
SHA5120a5dfa54520606ce55657a5361ed08a1434c642eedb9cbf382bfe62b89be234b22182629a8b11131b50cfc0df9bb444b50902e3d4409cb5a7423caefd7d729ba
-
Filesize
3.4MB
MD5d7f2c9304928c99e1d6856fdf2e75f5f
SHA11b2bd87f52c95fa4e129b1ef25c8538d5d4be7b5
SHA25626213e7fe08c90f11ed7e38c9be6a50d3fc4eadf884f4f06e51d7f20f71676b7
SHA512091d342951d2c029e9f4c571eea9c58d27f092ca2b913ec8decaf4c823ad4af5e1a04fdf3b53b1a7dda2352b26e8a610b14e7c0bf03d46712e19e6a067e72d1f