Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
196s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8.dll
Resource
win10v2004-20220812-en
General
-
Target
e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8.dll
-
Size
27KB
-
MD5
d70de7cfd9cb6f135a7d4c0823ec88e0
-
SHA1
b2e71ca661e19b256dd92db34ea81f055276815a
-
SHA256
e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8
-
SHA512
09a56eaf38b443096914d913169b83082169c2d38ceca4093e1df54bb049ff4cff05cb2fe864867599736a8bda408edbdae20d07cdef8ce966ebae96604a2d77
-
SSDEEP
384:1/yASy0m2N4tlJQNPi20Q/IdPc8zuP1XUSHVqmTbDOJBpbmXwkIvuwHjCYe:S0lJwPi5Q/IVZuiSHVqmiVmf2e
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
flow pid Process 18 1296 rundll32.exe 19 1296 rundll32.exe 20 1296 rundll32.exe 21 1296 rundll32.exe 22 1296 rundll32.exe 23 1296 rundll32.exe 24 1296 rundll32.exe 25 1296 rundll32.exe 26 1296 rundll32.exe 27 1296 rundll32.exe 28 1296 rundll32.exe 29 1296 rundll32.exe 30 1296 rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4054360514\ImagePath = "\\systemroot\\4054360514" rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1296 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1296 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5064 wrote to memory of 1296 5064 rundll32.exe 79 PID 5064 wrote to memory of 1296 5064 rundll32.exe 79 PID 5064 wrote to memory of 1296 5064 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e732d4eac01e6d955e9df066894ab7dd7096679bdfc5be67bce12843633cebf8.dll,#12⤵
- Blocklisted process makes network request
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1296
-