Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    299s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:37

General

  • Target

    6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll

  • Size

    1.0MB

  • MD5

    73ed3c0f370c86c091aa0db781287c77

  • SHA1

    ebee720921ef5cb33e25c3321b0ff16aea32cd92

  • SHA256

    6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f

  • SHA512

    7a3957287ee80db1ab103671dd7ed2bf23aebf30df07d68921e5af062d6e18e66a32aa681c1da3cfd373d48e430d9d8e6221f31ece4e785677f0dc8e5116acff

  • SSDEEP

    24576:EKFZnpqCuPZCKj3/w6BFb41oLF1LCrf2DitbRoXyaH:5rnQCKgKjBB941oLCrf2it6Xyc

Score
7/10

Malware Config

Signatures

  • VMProtect packed file 9 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\cliconfg.exe
      C:\Windows\SysWOW64\cliconfg.exe
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2520-25-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-10-0x0000000000410000-0x00000000004E0000-memory.dmp

    Filesize

    832KB

  • memory/2520-13-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-20-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-24-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-26-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-28-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-27-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-29-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2520-30-0x0000000010000000-0x00000000102D9000-memory.dmp

    Filesize

    2.8MB

  • memory/2696-2-0x0000000180000000-0x00000001800F4000-memory.dmp

    Filesize

    976KB

  • memory/2696-8-0x0000000180000000-0x00000001800F4000-memory.dmp

    Filesize

    976KB

  • memory/2696-0-0x0000000032DF0000-0x0000000032EF6000-memory.dmp

    Filesize

    1.0MB