Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9.dll
Resource
win10v2004-20231215-en
General
-
Target
03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9.dll
-
Size
397KB
-
MD5
d7af76201066a059719e1103fbbe4805
-
SHA1
aac00a2e37a4460b4ff392a702238712b550e279
-
SHA256
03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9
-
SHA512
5e3d17ebd344a7f3261fe9441a97fb7f78ae15d45425539dc50f42de42c456581a7c64d29c6db449e6cfce78fec250f0fbe47b7a69aa5caea1cedbdd3f344b42
-
SSDEEP
6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOaQ:174g2LDeiPDImOkx2LIaQ
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 rundll32.exe Token: SeTcbPrivilege 1580 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1580 3936 rundll32.exe 91 PID 3936 wrote to memory of 1580 3936 rundll32.exe 91 PID 3936 wrote to memory of 1580 3936 rundll32.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03a48a159e448ddbebabc6908b0ebc57e5f3ceca42552f5894c11f24c459c0b9.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-