Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2023, 01:46
Behavioral task
behavioral1
Sample
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
Resource
win10v2004-20231023-en
General
-
Target
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
-
Size
8.1MB
-
MD5
7a34b0a71978839c0f1b67ddecce33e1
-
SHA1
efe3b29f5c015993a46ea3aac3e50c377e2c2e0a
-
SHA256
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5
-
SHA512
e5717938edee821b80c02f254d36bd701358d8ba3738815ffdd5e4d02cf5c1171b8f60d43707343aec4d2ed5737a9783bea69e4cda31ec1d76772ead3ea190e1
-
SSDEEP
196608:PLejSGJHFn+3Yh8gZRZuuwRx5n6eRBjlH8G0xeOO0e8YP:yeGJMSZu9Rx56eRBZ8G2RO0X
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 20 4024 rundll32.exe 21 4024 rundll32.exe -
resource yara_rule behavioral2/memory/4024-3-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect behavioral2/memory/4024-7-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect behavioral2/memory/4024-13-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4024 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4024 4976 rundll32.exe 84 PID 4976 wrote to memory of 4024 4976 rundll32.exe 84 PID 4976 wrote to memory of 4024 4976 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4024
-