Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:01

General

  • Target

    a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll

  • Size

    180KB

  • MD5

    f9a0fd9594d9b8573c53772bc15d11e0

  • SHA1

    492c0faad24bcd6ca6a362edd2f21f624d1645bd

  • SHA256

    a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8

  • SHA512

    4e4a1a064c5518005647891576af1564db473f6d6b7335fcb5386dcb6bc581eadfd0a300129fbb545bbf2f5ed31cfcfd9e42c88b5b8f532b9197b297d3e75d3f

  • SSDEEP

    3072:en4cV8gf2u41Z5tKlH7CzACLtRk3OwquXvz7+IGqEJuj:M4y8gOl2xMA2X5uX7VGjJuj

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 268
          4⤵
          • Program crash
          PID:1116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 268
          4⤵
          • Program crash
          PID:4908
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 396 -ip 396
    1⤵
      PID:532

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\rundll32Srv.exe

      Filesize

      90KB

      MD5

      dba1231fa077c41836df91398093d5a8

      SHA1

      9bd1adff712907f1cbff38194e7229af5d9b2938

      SHA256

      10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

      SHA512

      ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

    • C:\Windows\SysWOW64\rundll32Srv.exe

      Filesize

      90KB

      MD5

      dba1231fa077c41836df91398093d5a8

      SHA1

      9bd1adff712907f1cbff38194e7229af5d9b2938

      SHA256

      10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

      SHA512

      ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

    • memory/396-137-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

    • memory/4872-133-0x0000000010000000-0x000000001002E000-memory.dmp

      Filesize

      184KB