Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2023, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
0a1a8b8e905bb43bf2af932fb3f5009c5cdaf5c77b4fbd1523da3199b29cfa48.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0a1a8b8e905bb43bf2af932fb3f5009c5cdaf5c77b4fbd1523da3199b29cfa48.dll
Resource
win10v2004-20221111-en
General
-
Target
0a1a8b8e905bb43bf2af932fb3f5009c5cdaf5c77b4fbd1523da3199b29cfa48.dll
-
Size
87KB
-
MD5
c71d3599b2e1af3475b804d4993ebfdb
-
SHA1
550fe8b49347165d80fa6ebb6953026a3bd6d072
-
SHA256
0a1a8b8e905bb43bf2af932fb3f5009c5cdaf5c77b4fbd1523da3199b29cfa48
-
SHA512
7171f97f13c3bb5a303d0b3b69d3f002661ca6d7838aa48f544791af00fc21510fef053e10230f876451473b32b543da436775026170f417ed2290da0b8f0d18
-
SSDEEP
1536:5z/Ni28bZPEfAAGnBHDp+5BC88quR5F6aXLAkSd0FqqRzrAh9EHi:5rNl8mKdd+SL6cLDNFq6VHi
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3300 rundll32.exe 3300 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3300 wrote to memory of 2604 3300 rundll32.exe 45 PID 3300 wrote to memory of 2788 3300 rundll32.exe 44 PID 3300 wrote to memory of 2848 3300 rundll32.exe 43 PID 3300 wrote to memory of 2628 3300 rundll32.exe 41 PID 3300 wrote to memory of 2032 3300 rundll32.exe 40 PID 3300 wrote to memory of 3268 3300 rundll32.exe 39
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2032
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2628
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a1a8b8e905bb43bf2af932fb3f5009c5cdaf5c77b4fbd1523da3199b29cfa48.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2788
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2604