Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac84f5111a808443276a972b80d6757f.dll
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac84f5111a808443276a972b80d6757f.dll
Resource
win10v2004-20240226-en
3 signatures
150 seconds
General
-
Target
ac84f5111a808443276a972b80d6757f.dll
-
Size
5KB
-
MD5
ac84f5111a808443276a972b80d6757f
-
SHA1
1af29edde88a9117dd36b6cbaa0f208b547b8802
-
SHA256
422f0a45c0de6f256f5ddd17a8573e39dfb97ac7aa2cd143d6b9539d023eb010
-
SHA512
ad8a68a492823505d81e5bd89c3ca0b7ec695678be90ab07c82f787c6f7b71b85bff524487fd5920081438c86c1133ff1665ab0265c510662c961cfa516df66a
-
SSDEEP
96:onDAxyBn3vXkiWcu/g2e+Z9txhLT/ft68Df3p1sg4mHM1GAe+KaIouHFmkgcwQwu:AlBn3fbG3T7txhLDb51TeGl+KaI1mkgG
Score
1/10
Malware Config
Signatures
-
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C36ECF8F-EAD9-44BD-8DD0-C4240A06F51C}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C36ECF8F-EAD9-44BD-8DD0-C4240A06F51C}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C36ECF8F-EAD9-44BD-8DD0-C4240A06F51C} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C36ECF8F-EAD9-44BD-8DD0-C4240A06F51C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ac84f5111a808443276a972b80d6757f.dll" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4996 rundll32.exe 4996 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4836 wrote to memory of 4996 4836 rundll32.exe 57 PID 4836 wrote to memory of 4996 4836 rundll32.exe 57 PID 4836 wrote to memory of 4996 4836 rundll32.exe 57 PID 4996 wrote to memory of 3552 4996 rundll32.exe 50
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac84f5111a808443276a972b80d6757f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac84f5111a808443276a972b80d6757f.dll,#12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552