Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687.dll
Resource
win10v2004-20220812-en
General
-
Target
09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687.dll
-
Size
148KB
-
MD5
0f7d100b93d684f36f2bac3bdca90eb0
-
SHA1
f9a3512fccf26d264152c174324cfc978586115d
-
SHA256
09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687
-
SHA512
9b72a639c9aa5a7096acd45ca553800a7d799bc868cc2820cbd8db501fc3fbb53d99a2caa82653762619badac9cd48019fcb626dbece484e95c3beb891886e5a
-
SSDEEP
3072:Cx73qAAdzsF+Q194ZvLEbFLur5Iz7al3fB9DtcRBzR6Rq1:AqAAdzbZvLkFLuqal3fB9OR1R6Ry
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4244 rundll32mgr.exe -
resource yara_rule behavioral2/files/0x0006000000022e21-135.dat upx behavioral2/files/0x0006000000022e21-134.dat upx behavioral2/memory/4244-137-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3816 4244 WerFault.exe 81 2108 4520 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4460 wrote to memory of 4520 4460 rundll32.exe 80 PID 4460 wrote to memory of 4520 4460 rundll32.exe 80 PID 4460 wrote to memory of 4520 4460 rundll32.exe 80 PID 4520 wrote to memory of 4244 4520 rundll32.exe 81 PID 4520 wrote to memory of 4244 4520 rundll32.exe 81 PID 4520 wrote to memory of 4244 4520 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\09160b694bfa0a3e19802d939c4905e6d4fcd68b87fafcfb0f1da881ac6c7687.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 2644⤵
- Program crash
PID:3816
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 6083⤵
- Program crash
PID:2108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4244 -ip 42441⤵PID:2900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 45201⤵PID:2316
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD527761550031391c56a3a59d3cb7229a5
SHA1643e456a5fb02a820e79e33fc66e8496f15e5955
SHA256b6b449ecd550692a3d8d5424e00885155e898d5cbbde98543a5b7b877073daab
SHA5122aa9607f71e4cb99ab4ccabe33a5f192117b733306cd8d1f4f3054077572e522bc71e1eae679877b5554d0bc3c1281fd5bcf822a2da5da291e6630f65470d0d6
-
Filesize
105KB
MD527761550031391c56a3a59d3cb7229a5
SHA1643e456a5fb02a820e79e33fc66e8496f15e5955
SHA256b6b449ecd550692a3d8d5424e00885155e898d5cbbde98543a5b7b877073daab
SHA5122aa9607f71e4cb99ab4ccabe33a5f192117b733306cd8d1f4f3054077572e522bc71e1eae679877b5554d0bc3c1281fd5bcf822a2da5da291e6630f65470d0d6