Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 12:53 UTC

General

  • Target

    $PLUGINSDIR/InstallOptions.dll

  • Size

    14KB

  • MD5

    296a5f3179fa8d7a7a855eaf696ede44

  • SHA1

    57aa5b71553ed282dd22c768e039a187f5c13f63

  • SHA256

    ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

  • SHA512

    bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

  • SSDEEP

    192:r6JaVGQ+xI5EeuyvMmGpeWH2J5xprN+AxTyK72dwF7dBdcQOz:r6JaVh4I5rpPbTy+BdhO

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 636
        3⤵
        • Program crash
        PID:3496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
    1⤵
      PID:3684

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; domain=.bing.com; expires=Fri, 27-Feb-2026 12:53:58 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 234748B4CD704CEDBDC50A44CA39E20A Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
      date: Sun, 02 Feb 2025 12:53:57 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk; domain=.bing.com; expires=Fri, 27-Feb-2026 12:53:58 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E37032CF3F034D5E8C7F3454A08EA761 Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
      date: Sun, 02 Feb 2025 12:53:57 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 640B1F9444084FCFA4889A26F8CCDE2C Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
      date: Sun, 02 Feb 2025 12:53:57 GMT
    • flag-us
      DNS
      131.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-gb
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      88.221.135.49:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Sun, 02 Feb 2025 12:53:59 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.ad8f655f.1738500839.1f4bbd75
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      49.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      49.135.221.88.in-addr.arpa
      IN PTR
      Response
      49.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-49deploystaticakamaitechnologiescom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      85.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      85.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      131.72.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.72.42.20.in-addr.arpa
      IN PTR
      Response
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=
      tls, http2
      2.0kB
      9.3kB
      21
      16

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

      HTTP Response

      204
    • 88.221.135.49:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.5kB
      6.4kB
      17
      13

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      148 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      131.31.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      131.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      57.169.31.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      57.169.31.20.in-addr.arpa

    • 8.8.8.8:53
      49.135.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      49.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      85.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      85.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      131.72.42.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      131.72.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.