Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 06:35
Static task
static1
Behavioral task
behavioral1
Sample
dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35.dll
Resource
win10v2004-20221111-en
General
-
Target
dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35.dll
-
Size
872KB
-
MD5
6f4d1a91a7c28a62c5b2418e41ea4281
-
SHA1
03dc605be3edb6069a90190102389f7bb0be7163
-
SHA256
dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35
-
SHA512
5cfa1c46674124a3d5d6a0e7b1b44197d52bb2e687ac88064bce175b6e1ab32668292a355b2786e805a6b0f88475f43288aab81cf9dc82b514ea4b744c459212
-
SSDEEP
12288:4oSScBnDaAOeeO6kEAVokag6lIw48W0vOHzD:4oSR+zOnEuoLg6lB48W0vOHzD
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1108 528 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 528 rundll32.exe 528 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 528 rundll32.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 1724 wrote to memory of 528 1724 rundll32.exe 27 PID 528 wrote to memory of 1108 528 rundll32.exe 28 PID 528 wrote to memory of 1108 528 rundll32.exe 28 PID 528 wrote to memory of 1108 528 rundll32.exe 28 PID 528 wrote to memory of 1108 528 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfad3171659c959cbff470e5c3f531a067936427e29c7f2b4c7b73961cefab35.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 3723⤵
- Program crash
PID:1108
-
-