Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
250s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll
Resource
win10v2004-20221111-en
General
-
Target
6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll
-
Size
610KB
-
MD5
8cd355ccd75ac1b337831911d5a226e4
-
SHA1
30a08f5a2b57c59099d54f261fbcfc15b8dc5a8e
-
SHA256
6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc
-
SHA512
1f922771fcb5133bfb1b79ef6e978ce916fe6b1030fadb77a89e49241eefc9164d18a75218890e2260983dcc03e2f4a29159bc7f704bba86844049d19fbcdf94
-
SSDEEP
12288:TjG/5NwYkK19iOCr+TMoO30mYn0YaAsGhQHxM5DKTrH5eZQ2x:TjGAK19iOCr+TMoO30mYn0YaAstHxM51
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 55 3320 rundll32.exe 63 3320 rundll32.exe 67 3320 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.Net CaLR\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll" rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2188 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3844 wrote to memory of 2188 3844 rundll32.exe 80 PID 3844 wrote to memory of 2188 3844 rundll32.exe 80 PID 3844 wrote to memory of 2188 3844 rundll32.exe 80 PID 2284 wrote to memory of 3320 2284 svchost.exe 82 PID 2284 wrote to memory of 3320 2284 svchost.exe 82 PID 2284 wrote to memory of 3320 2284 svchost.exe 82 PID 2188 wrote to memory of 392 2188 rundll32.exe 86 PID 2188 wrote to memory of 392 2188 rundll32.exe 86 PID 2188 wrote to memory of 392 2188 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll,#12⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\SysWOW64\rundll32.exe" > nul3⤵PID:392
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ".Net CaLR"1⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\users\admin\appdata\local\temp\6782096df96e79c66161440a1226f01f2b63880eef6356cdd759f6408d28cbfc.dll, Launch2⤵
- Blocklisted process makes network request
PID:3320
-