Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25/04/2024, 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Lightshot.dll
Resource
win10-20240404-en
5 signatures
150 seconds
General
-
Target
Lightshot.dll
-
Size
42.8MB
-
MD5
adaf397f4411ea601d3f16466e9977b3
-
SHA1
c4c82f343f1faba0b9ba64812f4fd6fad6158baa
-
SHA256
22f9b48c8f78c9d7e027e5956851b70a889d0b7de6c161486096ca7a2218665c
-
SHA512
4b55e32b4a99de5faf2941ab823072ff4f0ba50f35080590e085479b45a1f3fe1f04fa214dcbf26948ef60028df9b5bf5046dc1307558af585cbca7491432e04
-
SSDEEP
393216:Z6bcFItVoPXkVcFi6xeFbXYh6/U08Vil1/kdC8yFeH6yZ3qA1/elx4Zf1++aD88L:ZpytVgiT+CMzC89Hl/0kzii1oQSPyu
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3996 2576 WerFault.exe 72 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 rundll32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion rundll32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2576 rundll32.exe 2576 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4920 wrote to memory of 2576 4920 rundll32.exe 72 PID 4920 wrote to memory of 2576 4920 rundll32.exe 72 PID 4920 wrote to memory of 2576 4920 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#12⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 7763⤵
- Program crash
PID:3996
-
-