Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556.dll
Resource
win10v2004-20231222-en
General
-
Target
86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556.dll
-
Size
397KB
-
MD5
6a8e1f369f7f30b5e90d344e22cf422c
-
SHA1
f9aea0807c08f863c761601af5b097ecad67b2ef
-
SHA256
86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556
-
SHA512
f5963a1e47b2de126140e59dc91fb839ff79a9d30d15f89b65ef2e3aab9ead434318ad9abd85abb28511b2806a73b88837b3b66d089f8edb91c68169c5673b45
-
SSDEEP
6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOaO:174g2LDeiPDImOkx2LIaO
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4900 rundll32.exe Token: SeTcbPrivilege 4900 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1092 wrote to memory of 4900 1092 rundll32.exe 65 PID 1092 wrote to memory of 4900 1092 rundll32.exe 65 PID 1092 wrote to memory of 4900 1092 rundll32.exe 65
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86cd1cc40bbead8e603ade8e329379353b68958e8a30a1374bbb73b0cbf53556.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-