Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
268s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 21:02
Behavioral task
behavioral1
Sample
9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll
-
Size
34KB
-
MD5
a373861e371a8022447b6d5e144aaf3b
-
SHA1
57f6c299f26b9699f751595ef352c9627735dea5
-
SHA256
9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c
-
SHA512
bc37700bbef7cde9af3db2f7df2dd1f1dfd293fca20ed74f446ae3fc18460a5c6a023498af98e3303684153b2f72d0a3634cbd22133d8b0b6fb5ba29ef25a601
-
SSDEEP
768:pRl6y9NA4IrzfPNyfbIAZRe7MPDeYaxVf/6D4f:d660rjPm9K7swqD4f
Score
9/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b000000012335-59.dat acprotect -
resource yara_rule behavioral1/memory/892-56-0x0000000010000000-0x000000001001D000-memory.dmp upx behavioral1/files/0x000b000000012335-59.dat upx behavioral1/memory/1572-60-0x0000000010000000-0x000000001001D000-memory.dmp upx behavioral1/memory/892-61-0x0000000010000000-0x000000001001D000-memory.dmp upx behavioral1/memory/1572-62-0x0000000010000000-0x000000001001D000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msremotex.dll rundll32.exe File opened for modification C:\Windows\msremotex.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll,1308893781,1200269931,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 716 wrote to memory of 892 716 rundll32.exe 28 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29 PID 892 wrote to memory of 1572 892 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msremotex.dll",_RunAs@163⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5a373861e371a8022447b6d5e144aaf3b
SHA157f6c299f26b9699f751595ef352c9627735dea5
SHA2569cefb72487c24dfda0465da7c8963f787615ff68f0928c54f2d054d2abc6095c
SHA512bc37700bbef7cde9af3db2f7df2dd1f1dfd293fca20ed74f446ae3fc18460a5c6a023498af98e3303684153b2f72d0a3634cbd22133d8b0b6fb5ba29ef25a601