Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
Resource
win10v2004-20240426-en
General
-
Target
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
-
Size
1.0MB
-
MD5
73ed3c0f370c86c091aa0db781287c77
-
SHA1
ebee720921ef5cb33e25c3321b0ff16aea32cd92
-
SHA256
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f
-
SHA512
7a3957287ee80db1ab103671dd7ed2bf23aebf30df07d68921e5af062d6e18e66a32aa681c1da3cfd373d48e430d9d8e6221f31ece4e785677f0dc8e5116acff
-
SSDEEP
24576:EKFZnpqCuPZCKj3/w6BFb41oLF1LCrf2DitbRoXyaH:5rnQCKgKjBB941oLCrf2it6Xyc
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2520-13-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-20-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-25-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-24-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-26-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-28-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-27-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-29-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral2/memory/2520-30-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2696 set thread context of 2520 2696 svchost.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mac.txt cliconfg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3572 rundll32.exe 3572 rundll32.exe 3572 rundll32.exe 3572 rundll32.exe 3572 rundll32.exe 3572 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3572 rundll32.exe Token: SeDebugPrivilege 2696 svchost.exe Token: SeDebugPrivilege 2520 cliconfg.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2348 wrote to memory of 3572 2348 rundll32.exe 83 PID 2348 wrote to memory of 3572 2348 rundll32.exe 83 PID 2348 wrote to memory of 3572 2348 rundll32.exe 83 PID 3572 wrote to memory of 2696 3572 rundll32.exe 46 PID 3572 wrote to memory of 2696 3572 rundll32.exe 46 PID 3572 wrote to memory of 2696 3572 rundll32.exe 46 PID 3572 wrote to memory of 2696 3572 rundll32.exe 46 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84 PID 2696 wrote to memory of 2520 2696 svchost.exe 84
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cliconfg.exeC:\Windows\SysWOW64\cliconfg.exe2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
-