Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 22:13
Static task
static1
Behavioral task
behavioral1
Sample
c1bc798ea23f3724ec785dcb80ef5157.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1bc798ea23f3724ec785dcb80ef5157.dll
Resource
win10v2004-20240226-en
General
-
Target
c1bc798ea23f3724ec785dcb80ef5157.dll
-
Size
49KB
-
MD5
c1bc798ea23f3724ec785dcb80ef5157
-
SHA1
39a62d515ef9243ebbe258c6c216117fac708b18
-
SHA256
7698b685acfb273d1590fabe8f3495f2056691a5871296a50b1c5ed1339aa577
-
SHA512
a87ba8d95525e813b0170cd00687cf617fca23d46aaadc7752556e2501320a8191165fa5dbc77c060264e8606cfccc755a1af93f3772d4835c35ac018c555e42
-
SSDEEP
768:4vc89QoqCl28iydf60EUsn3Q1lwf2hekL9/w4Xk+lZW+4V:Y/Qpc/Zf6wsEVCX+lQnV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2428 PCB~1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\PCB~1.exe rundll32.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3012 2428 WerFault.exe 88 3500 2428 WerFault.exe 88 4620 4256 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 5088 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5088 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4844 wrote to memory of 4256 4844 rundll32.exe 84 PID 4844 wrote to memory of 4256 4844 rundll32.exe 84 PID 4844 wrote to memory of 4256 4844 rundll32.exe 84 PID 4256 wrote to memory of 2428 4256 rundll32.exe 88 PID 4256 wrote to memory of 2428 4256 rundll32.exe 88 PID 4256 wrote to memory of 2428 4256 rundll32.exe 88 PID 4256 wrote to memory of 2092 4256 rundll32.exe 99 PID 4256 wrote to memory of 2092 4256 rundll32.exe 99 PID 4256 wrote to memory of 2092 4256 rundll32.exe 99 PID 4256 wrote to memory of 768 4256 rundll32.exe 100 PID 4256 wrote to memory of 768 4256 rundll32.exe 100 PID 4256 wrote to memory of 768 4256 rundll32.exe 100 PID 768 wrote to memory of 5088 768 cmd.exe 105 PID 768 wrote to memory of 5088 768 cmd.exe 105 PID 768 wrote to memory of 5088 768 cmd.exe 105
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\PCB~1.exeC:\Windows\system32\PCB~1.exe3⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 4284⤵
- Program crash
PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 4484⤵
- Program crash
PID:3500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c erase /f /q C:\Windows\system32\PCB~1.exe3⤵PID:2092
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 6163⤵
- Program crash
PID:4620
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2428 -ip 24281⤵PID:2724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2428 -ip 24281⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4256 -ip 42561⤵PID:2660
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5b44e9d14dec09425c1c3b762d21f31a2
SHA18118759754b0be281ec8bab3734061db3bc1ab44
SHA256a9603e8836952ee6b5e1e1b49812c9e4c5911a2502bfc01d5c5d63d36ee7142f
SHA512e60349a06386f0f7607b39045416efeff8afa078e8cda058b0fb90cc750935c532557a1bb2d4b05b1efec0fe2163f29f6a524f3b0f444b0327d5d1a9b6455e8f