Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
1aa13a58867e788f446e70cec58e1545.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1aa13a58867e788f446e70cec58e1545.dll
Resource
win10v2004-20231215-en
General
-
Target
1aa13a58867e788f446e70cec58e1545.dll
-
Size
874KB
-
MD5
1aa13a58867e788f446e70cec58e1545
-
SHA1
52305e81e13a5e299bd3f1cf45238dfeca22a65f
-
SHA256
3adbe4baa4d27304878ffff93849c61e187df267266cf7f99f72836ee8dcf7a6
-
SHA512
4a69f501691d5fe6a8cdb6bfd070c1b8314602fbec32d755f50d76a5df2272ec3a587d32c7036e126ef6447596f5545ea34b82356613564e87908c43c8c0637e
-
SSDEEP
24576:x8ZPwQDrsiK359EZbmNrUVLnkoo3EIYLD:sl43sZSgVDIY
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3972 4376 WerFault.exe 90 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4376 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1744 wrote to memory of 4376 1744 rundll32.exe 90 PID 1744 wrote to memory of 4376 1744 rundll32.exe 90 PID 1744 wrote to memory of 4376 1744 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa13a58867e788f446e70cec58e1545.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa13a58867e788f446e70cec58e1545.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 14123⤵
- Program crash
PID:3972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4376 -ip 43761⤵PID:1944