Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 23:28
Behavioral task
behavioral1
Sample
5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a.dll
Resource
win10v2004-20220901-en
General
-
Target
5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a.dll
-
Size
22KB
-
MD5
a2396faf377c614f8640cbd11c872c22
-
SHA1
26649c4a62763cc28fc62da483eb5c47c815f911
-
SHA256
5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a
-
SHA512
003b0f3551dcf3eab48decdfdd815aed5dcce0e092b604d56714bdd8e9a8390cbf0eca2d59638f57a70335dd05af56f8fc49d2ef97b1592fa32a520a77ab5c74
-
SSDEEP
384:TeH+tWzlSDrb5+gIS3a2Oaa2pbNGJ38pPJv1TCAxAr6+S9Pfu7n5n:dtWurb6SOaVwYxv1TlxndeVn
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1132 wrote to memory of 1664 1132 rundll32.exe 28 PID 1664 wrote to memory of 1932 1664 rundll32.exe 29 PID 1664 wrote to memory of 1932 1664 rundll32.exe 29 PID 1664 wrote to memory of 1932 1664 rundll32.exe 29 PID 1664 wrote to memory of 1932 1664 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ff0f0f275f8705cc51c8c804093aa95d1d0313220f835fe3963dbdc5513c30a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Wscript.exeWscript.exe c:\windows\ime\vbs\pp.vbs3⤵PID:1932
-
-