Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll
Resource
win10v2004-20220812-en
General
-
Target
6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll
-
Size
596KB
-
MD5
7ba3161d629cc179412835c88c4500f7
-
SHA1
8773e6711a316100db0f319ee6decd9d433fab1e
-
SHA256
6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d
-
SHA512
7ac20b72505ffe2a3d4c09896dc3d41da18d9d199c045ba053cc85de276256d9a53eb5917be362c7b771089adff80603d74a2b68195f6e632ab66ff6b4414776
-
SSDEEP
12288:bXo450qjYthuCNIm/kqF6a2FjyHIDiroM3kN:y/ku6FjyHe+oM32
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4728 rundll32mgr.exe -
resource yara_rule behavioral2/files/0x0007000000022e05-135.dat upx behavioral2/memory/4728-137-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/files/0x0007000000022e05-136.dat upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4248 4468 WerFault.exe 83 4720 4728 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4468 4904 rundll32.exe 83 PID 4904 wrote to memory of 4468 4904 rundll32.exe 83 PID 4904 wrote to memory of 4468 4904 rundll32.exe 83 PID 4468 wrote to memory of 4728 4468 rundll32.exe 85 PID 4468 wrote to memory of 4728 4468 rundll32.exe 85 PID 4468 wrote to memory of 4728 4468 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 2644⤵
- Program crash
PID:4720
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6963⤵
- Program crash
PID:4248
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 47281⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4468 -ip 44681⤵PID:2352
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5ce0c184845b7fcfffeb671f7f992a177
SHA141f7d4b9ddac19ba5cd10e4a4aff5168d4443171
SHA2562c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96
SHA512f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac
-
Filesize
221KB
MD5ce0c184845b7fcfffeb671f7f992a177
SHA141f7d4b9ddac19ba5cd10e4a4aff5168d4443171
SHA2562c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96
SHA512f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac