Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
264s -
max time network
362s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 17:54
Static task
static1
Behavioral task
behavioral1
Sample
b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll
Resource
win10v2004-20221111-en
General
-
Target
b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll
-
Size
53KB
-
MD5
0d4d4a2a8c6708388fbe5e6629494426
-
SHA1
e48cbb3fa40dac6680839a60f465da7f72251fba
-
SHA256
b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c
-
SHA512
b1999ad5344f65e2925548baa14e1eea3d815705ef44ca64c1a8b42a5667da8e45970570b02616e0c4233851c61e93a7a33db645d97ac9a1dc24ca814c1f636e
-
SSDEEP
768:T/k0hbl6VPrPmORgj46Z/wrOjOFwJxkEXkRJ8NeJRCvCuovQrSmLBfQFwLS:Npl6VzPRt6RGw0PRCvCuo0S6YFn
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2940 set thread context of 4500 2940 rundll32.exe 81 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3556 wrote to memory of 2940 3556 rundll32.exe 78 PID 3556 wrote to memory of 2940 3556 rundll32.exe 78 PID 3556 wrote to memory of 2940 3556 rundll32.exe 78 PID 2940 wrote to memory of 4500 2940 rundll32.exe 81 PID 2940 wrote to memory of 4500 2940 rundll32.exe 81 PID 2940 wrote to memory of 4500 2940 rundll32.exe 81 PID 2940 wrote to memory of 4500 2940 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4500
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2940 -ip 29401⤵PID:5048