Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 05:51
Behavioral task
behavioral1
Sample
fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd.dll
Resource
win10v2004-20240226-en
General
-
Target
fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd.dll
-
Size
76KB
-
MD5
5bfa6b90da893064f0deca4e653f2be0
-
SHA1
2eec9b7149bac6a0b35ecb2bc0b29113f8bdd826
-
SHA256
fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd
-
SHA512
dfc470ef48c98e3d0dfbcee6b338b462eb921b5858d135c2d3cdac1134cd783e3af0f7d1f75342f5c4c612c9c339d87a8090be759834f340f810efd8203eb520
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZfbdyziJ:c8y93KQjy7G55riF1cMo039TJ
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral2/memory/4960-0-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/4960-1-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/4960-2-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/4960-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4960-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4960-2-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 rundll32.exe 4960 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4960 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4416 wrote to memory of 4960 4416 rundll32.exe 91 PID 4416 wrote to memory of 4960 4416 rundll32.exe 91 PID 4416 wrote to memory of 4960 4416 rundll32.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd27b6586c5d693148cdadcb356188fa5daeb795e99a2fce9325d02f638f8ccd.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:3980