Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06/08/2021, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll
-
Size
159KB
-
MD5
e3dace173ded785a9af4a9007587eec6
-
SHA1
2b746a247ef14585e9102336939e341f62cc6b67
-
SHA256
dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4
-
SHA512
da3c9481438b4373c328904aac1ed64a1d20c02a558573543b36fc35a1f296664b518243fe4431b8b19c85678271cc0e7215aae7dd3769d998a45297dccb3b25
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3264 3096 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe 3264 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3264 WerFault.exe Token: SeBackupPrivilege 3264 WerFault.exe Token: SeDebugPrivilege 3264 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4024 wrote to memory of 3096 4024 rundll32.exe 72 PID 4024 wrote to memory of 3096 4024 rundll32.exe 72 PID 4024 wrote to memory of 3096 4024 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll,#12⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 6243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-