Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2.dll
Resource
win10v2004-20230915-en
General
-
Target
11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2.dll
-
Size
3.2MB
-
MD5
cce35a6afcc2c93758b70935d6616abf
-
SHA1
31c1ecc4d75ec1a8aa12ca82f44465dd3bacbd37
-
SHA256
11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2
-
SHA512
6f19ef2f3cee1f65411cadee345d2b9ea37babffb3d4d8402d1659fee839b1d92e3baeed90655dd8ef849eb076d26109c87bb36cd4429fca1056a1816f62ee7e
-
SSDEEP
49152:iXPwh11sXIAyT9tN93Qs5SkP2lS1mdM03aT1PtE8j+bINz:qPs1sByTb5SQrWM03o1Xj+bINz
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 34 3428 rundll32.exe 35 3428 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowSystemNewUpdate66.log rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3428 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5048 wrote to memory of 3428 5048 rundll32.exe 88 PID 5048 wrote to memory of 3428 5048 rundll32.exe 88 PID 5048 wrote to memory of 3428 5048 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c5e6178e2e26eaa8fc75638ad2f3e3b0dbe6b1129d2103d9664c87d8cae5a2.dll,#12⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3428
-