Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9.dll
Resource
win10v2004-20220901-en
General
-
Target
3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9.dll
-
Size
505KB
-
MD5
68ca1684637bb6a0a031ffb664b72350
-
SHA1
080627ec95f49d7c69887f793341705c79ec3872
-
SHA256
3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9
-
SHA512
2d40028de05d759a162ee6a20f878d308fea0eb5f6a7d367b84c2558f7b6f3ac02fd1e9256cc3575cbc7ebdc1a6d3d938eb08532cc7c8b2f04079bda93af4298
-
SSDEEP
12288:6eptOQvOSB/tpjbdAWFqNQTJBhHniXwvV:FjOSBtdbdRN9BsXw9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1952 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1460 wrote to memory of 1952 1460 rundll32.exe 26 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27 PID 1952 wrote to memory of 996 1952 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3d330ceb27410d4c6817da8e3b38b9b30787509f38d5bc7cf53eb9edebe3f1f9.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" 23⤵PID:996
-
-