Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 19:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37e550e833ef4681b290ed330a62dea1.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
37e550e833ef4681b290ed330a62dea1.dll
-
Size
188KB
-
MD5
37e550e833ef4681b290ed330a62dea1
-
SHA1
58f3a3693bdddaf78da99175c655c76be2b7c1dc
-
SHA256
a5be075d6f86ee564bb4ce0e2c232df887dfa7f7e6b682feca17657283436622
-
SHA512
2b69ec5a7980437a2f400852bee95bc4e8e82abd52b3d91978cbb0d8650f432cdc5c64ac7dc675f36b32ab0c45ca81a258dbdc46d4a816e41a271a31cd0c188a
-
SSDEEP
3072:vA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoNo:vzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2856-0-0x0000000074D90000-0x0000000074DC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2796 2856 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2664 wrote to memory of 2856 2664 rundll32.exe 28 PID 2856 wrote to memory of 2796 2856 rundll32.exe 29 PID 2856 wrote to memory of 2796 2856 rundll32.exe 29 PID 2856 wrote to memory of 2796 2856 rundll32.exe 29 PID 2856 wrote to memory of 2796 2856 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37e550e833ef4681b290ed330a62dea1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37e550e833ef4681b290ed330a62dea1.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 3083⤵
- Program crash
PID:2796
-
-