Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll
Resource
win10v2004-20220812-en
General
-
Target
da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll
-
Size
264KB
-
MD5
82d91ef8289b7f0aea4edc94d2d07bbe
-
SHA1
30b165eda18b8d148fbf7d7815bcb62a9a128ba0
-
SHA256
da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63
-
SHA512
63d9821d168488be466f3372567b7358217993447daeec539fdd41b941415bc9be6beb599110ebee3fa849094777f03c0494fffcfb5e042219666a9c9090a368
-
SSDEEP
3072:1vcaf7lTZU5fPCfe8NiNj6agpoXlWpOuN5gX8ZelR0lYudOQUFDHq/K7K03oSErO:JbeWFpSWptgXXITUFDPK+oSEAK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\admggxp = "{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}" rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}\InProcServer32\ = "C:\\Windows\\admggxp.dll" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2280 wrote to memory of 4928 2280 rundll32.exe 78 PID 2280 wrote to memory of 4928 2280 rundll32.exe 78 PID 2280 wrote to memory of 4928 2280 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4928
-