Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
180s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc.dll
Resource
win10v2004-20220812-en
General
-
Target
e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc.dll
-
Size
274KB
-
MD5
4f32ddcce8b70f220daf51bacd506fd2
-
SHA1
4a139408ce294b27e49f8be38b18511c1a6b4ae7
-
SHA256
e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc
-
SHA512
3430a77000b9b145d1b39d5f75569d9b210f8f77a4bbe57ecaa64249b380e26c0d6dff09c6d64cd265419a7472a1c0935dda30e6d76197f34cc82e2ed5cd309e
-
SSDEEP
6144:uTGXCfq3+QonIjWWMgXebaPbGfrdz6yFoBrFhVVwJXP:25y3V0IiWrKfBW+QzVVw5P
Malware Config
Signatures
-
Program crash 3 IoCs
pid pid_target Process procid_target 1984 1388 WerFault.exe 81 3996 1388 WerFault.exe 81 2224 1388 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1388 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1388 1364 rundll32.exe 81 PID 1364 wrote to memory of 1388 1364 rundll32.exe 81 PID 1364 wrote to memory of 1388 1364 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e54bd1f30f8d1569dda12f540224f01f43cf12deb7abd3d7a63dcd4ff14914fc.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 7923⤵
- Program crash
PID:1984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 7923⤵
- Program crash
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 7923⤵
- Program crash
PID:2224
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1388 -ip 13881⤵PID:4532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1388 -ip 13881⤵PID:3236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1388 -ip 13881⤵PID:232