Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 02:31
Static task
static1
Behavioral task
behavioral1
Sample
11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0.dll
Resource
win10v2004-20221111-en
General
-
Target
11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0.dll
-
Size
180KB
-
MD5
cd67d3e20a6763b2380627b747d5f450
-
SHA1
37c49e5454bddd0fc8da6c64974f753f2061e83a
-
SHA256
11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0
-
SHA512
e80205c50b62213188c3096aacb73293184f114ebbdf02e9f9cf97122780f7a164a609862586665d49bae29d2a8c4dd8b5f6a646556ed055a2453dc7b8f8f617
-
SSDEEP
3072:Cn4cV8gf2u41Z5tKlI1I+hcj0B/pTBpwtqrFZz63vB24FXnHKP:I4y8gOl2+6A20BtXfWvBlFXnHKP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1524 rundll32Srv.exe -
resource yara_rule behavioral2/files/0x0006000000022e59-135.dat upx behavioral2/files/0x0006000000022e59-136.dat upx behavioral2/memory/1524-137-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 544 1524 WerFault.exe 83 4600 1524 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2896 wrote to memory of 3792 2896 rundll32.exe 82 PID 2896 wrote to memory of 3792 2896 rundll32.exe 82 PID 2896 wrote to memory of 3792 2896 rundll32.exe 82 PID 3792 wrote to memory of 1524 3792 rundll32.exe 83 PID 3792 wrote to memory of 1524 3792 rundll32.exe 83 PID 3792 wrote to memory of 1524 3792 rundll32.exe 83 PID 1524 wrote to memory of 544 1524 rundll32Srv.exe 85 PID 1524 wrote to memory of 544 1524 rundll32Srv.exe 85 PID 1524 wrote to memory of 544 1524 rundll32Srv.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c8085ec0bfc6dac3254f7f4c34b7a82f62f6970c65ec063d50db7d527e5be0.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2684⤵
- Program crash
PID:544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2684⤵
- Program crash
PID:4600
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1524 -ip 15241⤵PID:1052
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2