Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34.dll
Resource
win10v2004-20220812-en
General
-
Target
f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34.dll
-
Size
402KB
-
MD5
60147f59e4c0179c39148067d2446133
-
SHA1
4b0c6e954827b4c1b01a42c1256cbf75894c9de8
-
SHA256
f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34
-
SHA512
c700d0d6428cdac9dcc92ec71e323cd29e6874119378f0922607ccc0dd276f4cd1d367c7732edff2cdf2cd5b06bccba71c24272bb0bab88b1459e79fe45c78c4
-
SSDEEP
12288:TA/O2c4Faj+5SLD6iX73pqhbL66gvNdHo:TA/Raj+ULDF73ebL66qNdI
Malware Config
Signatures
-
Blocklisted process makes network request 24 IoCs
flow pid Process 12 1200 rundll32.exe 18 1200 rundll32.exe 31 1200 rundll32.exe 42 1200 rundll32.exe 51 1200 rundll32.exe 55 1200 rundll32.exe 61 1200 rundll32.exe 65 1200 rundll32.exe 69 1200 rundll32.exe 73 1200 rundll32.exe 77 1200 rundll32.exe 81 1200 rundll32.exe 87 1200 rundll32.exe 91 1200 rundll32.exe 95 1200 rundll32.exe 99 1200 rundll32.exe 103 1200 rundll32.exe 107 1200 rundll32.exe 111 1200 rundll32.exe 115 1200 rundll32.exe 119 1200 rundll32.exe 123 1200 rundll32.exe 127 1200 rundll32.exe 131 1200 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\42-9370-15 rundll32.exe File created C:\Windows\SysWOW64\245 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3172 wrote to memory of 1200 3172 rundll32.exe 82 PID 3172 wrote to memory of 1200 3172 rundll32.exe 82 PID 3172 wrote to memory of 1200 3172 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f24b7c7f0898adf7000ea72688a20f172f114bb490d34d23909a695cb7bb1f34.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1200
-