Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
204s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 02:19
Static task
static1
Behavioral task
behavioral1
Sample
e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21.dll
Resource
win10v2004-20220812-en
General
-
Target
e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21.dll
-
Size
2.5MB
-
MD5
dd2015d972dc667508e5c988cfe71975
-
SHA1
b376ecaf884603f82d08f9e49009d5e17ec490c6
-
SHA256
e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21
-
SHA512
75fb7716c9523b9526b6269912feb34cda5fbcc0721f4d454136a5170c282dda93ea41a34b714bf18e2aa9201790b78c798a2d2cad569cbf04cb514602ecfddd
-
SSDEEP
24576:/8Vt/V7OV1dk1S1GW9pll6yjNQHHAX6g08vkZVhvkZl:/kt/VSQS1GWXlMyE66z8ELEl
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4988 rundll32.exe 4988 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\hknms.sys rundll32.exe File opened for modification C:\Windows\SysWOW64\hknms.sys rundll32.exe File created C:\Windows\SysWOW64\winio.vxd rundll32.exe File created C:\Windows\SysWOW64\WinIo.dll rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4988 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3088 wrote to memory of 4988 3088 rundll32.exe 64 PID 3088 wrote to memory of 4988 3088 rundll32.exe 64 PID 3088 wrote to memory of 4988 3088 rundll32.exe 64
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e692c4593da53a8a1904ddb8997a79b93586da21d535dfa154eec7d793caaa21.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4988
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b3b6289999a2762c7da8104e5f47f7ee
SHA1ea3bb66a6de13d86bd40a3005374d4cc9bbb1520
SHA25673663dff8f7ac6ee85f9a7eeca762b002ee615c03b110e0bb64fc69f7b462565
SHA512364d476f71df9b881c34687482e8524a23eaa95bfee5b799c98eaf633880e92ee11a1dbdeeddc3f2e00a8b9cddcb937d3f1b126091d65c2cf4f4e87bafd0d6e5
-
Filesize
36KB
MD5b3b6289999a2762c7da8104e5f47f7ee
SHA1ea3bb66a6de13d86bd40a3005374d4cc9bbb1520
SHA25673663dff8f7ac6ee85f9a7eeca762b002ee615c03b110e0bb64fc69f7b462565
SHA512364d476f71df9b881c34687482e8524a23eaa95bfee5b799c98eaf633880e92ee11a1dbdeeddc3f2e00a8b9cddcb937d3f1b126091d65c2cf4f4e87bafd0d6e5