Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
26s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05/02/2022, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003.dll
Resource
win10v2004-en-20220113
General
-
Target
ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003.dll
-
Size
561KB
-
MD5
a01c8c45a9e54684ae643dd409110ac8
-
SHA1
2124dc39d9ba939a83fbc5782772a0e062998f92
-
SHA256
ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003
-
SHA512
d277f8b95fd331811c04221abe1d85ef0cf09c07590fe7025c7e46a268ccd5f5f0768a91aa2c2f7fcf9167e703bc14c9a7a047084906710b41308e5a636aaeb2
Malware Config
Extracted
zloader
08/04
https://kuaxbdkvbbmivbxkrrev.com/wp-config.php
https://hwbblyyrb.pw/wp-config.php
-
build_id
134
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 960 set thread context of 672 960 rundll32.exe 30 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 672 msiexec.exe Token: SeSecurityPrivilege 672 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 964 wrote to memory of 960 964 rundll32.exe 27 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30 PID 960 wrote to memory of 672 960 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-