Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 13:54
Behavioral task
behavioral1
Sample
d6622cd29917ff7bc00057062.dll
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
d6622cd29917ff7bc00057062.dll
Resource
win10v2004-20230703-en
General
-
Target
d6622cd29917ff7bc00057062.dll
-
Size
708KB
-
MD5
c342148a7cdb82421ffbf9a03463b60f
-
SHA1
2dfdb9e80dd20e915c33141f121e59e7f9b72207
-
SHA256
d6622cd29917ff7bc000570627ae2249871991374dcb31547fd8ed66619f7809
-
SHA512
dc9f5f92ff89062c798eac9601f3d02c726a2c232846d1dce91f10b0abc0c54f3539e3dda5c7b9b57bcedd35bc3d8c7e38b7f101ffdf328edb8c553b0baa37d1
-
SSDEEP
12288:iemwWlnXHTZac40hZZcJBfsPdKedHllhlLAMM4M6TgUF:iemwWlnXHK0dc7fsPbFNcRt8
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C596F982-FCA6-4785-B931-1099830DA8D2}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2756 2752 rundll32.exe 81 PID 2752 wrote to memory of 2756 2752 rundll32.exe 81 PID 2752 wrote to memory of 2756 2752 rundll32.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6622cd29917ff7bc00057062.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6622cd29917ff7bc00057062.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4580