Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
Resource
win10v2004-20220812-en
General
-
Target
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
-
Size
180KB
-
MD5
f9a0fd9594d9b8573c53772bc15d11e0
-
SHA1
492c0faad24bcd6ca6a362edd2f21f624d1645bd
-
SHA256
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8
-
SHA512
4e4a1a064c5518005647891576af1564db473f6d6b7335fcb5386dcb6bc581eadfd0a300129fbb545bbf2f5ed31cfcfd9e42c88b5b8f532b9197b297d3e75d3f
-
SSDEEP
3072:en4cV8gf2u41Z5tKlH7CzACLtRk3OwquXvz7+IGqEJuj:M4y8gOl2xMA2X5uX7VGjJuj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 396 rundll32Srv.exe -
resource yara_rule behavioral2/files/0x001b00000001d9f9-135.dat upx behavioral2/files/0x001b00000001d9f9-136.dat upx behavioral2/memory/396-137-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1116 396 WerFault.exe 81 4908 396 WerFault.exe 81 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3356 wrote to memory of 4872 3356 rundll32.exe 80 PID 3356 wrote to memory of 4872 3356 rundll32.exe 80 PID 3356 wrote to memory of 4872 3356 rundll32.exe 80 PID 4872 wrote to memory of 396 4872 rundll32.exe 81 PID 4872 wrote to memory of 396 4872 rundll32.exe 81 PID 4872 wrote to memory of 396 4872 rundll32.exe 81 PID 396 wrote to memory of 1116 396 rundll32Srv.exe 85 PID 396 wrote to memory of 1116 396 rundll32Srv.exe 85 PID 396 wrote to memory of 1116 396 rundll32Srv.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2684⤵
- Program crash
PID:1116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2684⤵
- Program crash
PID:4908
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 396 -ip 3961⤵PID:532
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f