Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2023, 23:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eraz0r.dll
Resource
win7-20231023-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
eraz0r.dll
Resource
win10v2004-20231025-en
4 signatures
150 seconds
General
-
Target
eraz0r.dll
-
Size
12.6MB
-
MD5
1a460374f370ef58c3b769d56f38b50b
-
SHA1
0dcd6b1b7db59d26bbab1ccf6930b7654477ebbe
-
SHA256
0e8e168c9bd7bf0abb03cb388e069e0050b77b2de95ca217c12e174980538b3d
-
SHA512
e2a1c37444ea8cc7c7cd20368250aee42c18160b4016d7bd4b380e41f36b3d58efa9609bf5b151b43728b6f7fad3ff65700f5b798286873c941c6067dd854961
-
SSDEEP
98304:CcDTwXlUKj57xHAe/JyS1DOlRomRQvPMaQQBtVD/EmYESD8G+JKBdK9/TToGFXob:CblUWNOlRomRQvPMa2+JB2
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 4644 rundll32.exe 28 4644 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4644 wrote to memory of 2368 4644 rundll32.exe 91 PID 4644 wrote to memory of 2368 4644 rundll32.exe 91 PID 2368 wrote to memory of 4496 2368 cmd.exe 93 PID 2368 wrote to memory of 4496 2368 cmd.exe 93 PID 4644 wrote to memory of 4496 4644 rundll32.exe 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eraz0r.dll,#11⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\cmd.exe"cmd" /c "start notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\notepad.exenotepad.exe3⤵PID:4496
-
-