Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 07:40 UTC
Static task
static1
Behavioral task
behavioral1
Sample
87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f.dll
Resource
win10v2004-20231215-en
General
-
Target
87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f.dll
-
Size
397KB
-
MD5
f8d807296436c5e4177a40bdc88b5eaf
-
SHA1
55afcebc1d487144322ccac27a5961e0020b0bc2
-
SHA256
87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f
-
SHA512
862e93c9c76b1a863ff616934b0de9139b11cd396b3923ca0ff5ce428b2f66ad072abee3a1977ac971c38411e4846d0eb9afce3f1cb307c069b91ed345f1da61
-
SSDEEP
6144:151sacsiu2LDeIHoMDIbGFtcEOkCybEaQRXr9HNdvOat:174g2LDeiPDImOkx2LIat
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe 64 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 64 rundll32.exe Token: SeTcbPrivilege 64 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4760 wrote to memory of 64 4760 rundll32.exe 86 PID 4760 wrote to memory of 64 4760 rundll32.exe 86 PID 4760 wrote to memory of 64 4760 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87d371e6c595449c352ae0cf68679ff696d3ee82e96639a8c698bc27832dc17f.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.178.17.96.in-addr.arpaIN PTRResponse194.178.17.96.in-addr.arpaIN PTRa96-17-178-194deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request170.253.116.51.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
194.178.17.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
170.253.116.51.in-addr.arpa