Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 03:26
Behavioral task
behavioral1
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win10v2004-20240508-en
General
-
Target
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
-
Size
154KB
-
MD5
1c5909b8aa9e8dcf7c625a18879eaa9a
-
SHA1
29cfd468ee12d9746aeb935b8a30e7ee609ae3e5
-
SHA256
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462
-
SHA512
b94ebf34fb81fc37564513a5671c2a936d9f5d3293ce5a8d451b41d857fd1c27d1b2e3efdfc48c39e1b66af6b57789d5115e79eaa10b170cf54f69011ed3bd09
-
SSDEEP
3072:GElIePztdwiyKaZP1Pgu6Pb7ZlSkBAU2J5mkAuPb14qla4o0aZu7vmEtazVjDo:JlR0iYV0fSiufmkAEh4qlaoa0zmE0zV3
Malware Config
Signatures
-
Detects executables packed with VMProtect. 2 IoCs
resource yara_rule behavioral1/memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
resource yara_rule behavioral1/memory/2416-1-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect behavioral1/memory/2416-3-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2416 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28 PID 1252 wrote to memory of 2416 1252 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2416
-