Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
Resource
win10v2004-20220812-en
General
-
Target
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
-
Size
180KB
-
MD5
b484124d84114eefed6e32e5b97de8a0
-
SHA1
984c28db719cc975ad77f4e431e919b3cc7fc912
-
SHA256
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02
-
SHA512
438acc48ff2784f164ef49e33e5539fcd6d13b38289cac644f7339b9bf3a0f989e8d472c01fb6078e1b343a1ca90bf85322d4587bdd689aeb5c7e97422b31c88
-
SSDEEP
3072:Kn4cV8gf2u41Z5tKl4xoaePShY+dWvVJQTUsqPa7sn3Dvo:w4y8gOl2dznvUIxa7UDvo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4332 rundll32Srv.exe -
resource yara_rule behavioral2/files/0x0006000000022e2f-135.dat upx behavioral2/files/0x0006000000022e2f-136.dat upx behavioral2/memory/4332-137-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4712 4332 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2856 wrote to memory of 5044 2856 rundll32.exe 80 PID 2856 wrote to memory of 5044 2856 rundll32.exe 80 PID 2856 wrote to memory of 5044 2856 rundll32.exe 80 PID 5044 wrote to memory of 4332 5044 rundll32.exe 82 PID 5044 wrote to memory of 4332 5044 rundll32.exe 82 PID 5044 wrote to memory of 4332 5044 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 2724⤵
- Program crash
PID:4712
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4332 -ip 43321⤵PID:1816
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2