Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 18:47
Behavioral task
behavioral1
Sample
39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa.dll
Resource
win10v2004-20240226-en
General
-
Target
39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa.dll
-
Size
76KB
-
MD5
6b3cdda2a3782951c6fe0c1cb067d4e6
-
SHA1
e8a16ee56f9f1d0c5b17e17e909b9a9bad3336ac
-
SHA256
39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa
-
SHA512
b1c7ae96978e499c4c0a8553cd2b8743ef220b1e3d6aaa7a7dcd29a92a874a4b2fa683856a1cf143150e47b1e90fd9fc8310a58bdfeaca8de16a022b1e90c4d8
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZK2KV:c8y93KQjy7G55riF1cMo0302KV
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/1780-0-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/1780-1-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/1780-3-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/1780-2-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral1/memory/1780-4-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
resource yara_rule behavioral1/memory/1780-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1780-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1780-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1780-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1780-4-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2052 1780 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1780 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 2196 wrote to memory of 1780 2196 rundll32.exe 28 PID 1780 wrote to memory of 2052 1780 rundll32.exe 29 PID 1780 wrote to memory of 2052 1780 rundll32.exe 29 PID 1780 wrote to memory of 2052 1780 rundll32.exe 29 PID 1780 wrote to memory of 2052 1780 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39a4d4155fffdb9ac71145d6282b9521eb3fd2b05e9b28d7f9d2b4cae2a8eefa.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 3043⤵
- Program crash
PID:2052
-
-