Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 03:26
Behavioral task
behavioral1
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
Resource
win10v2004-20240508-en
General
-
Target
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll
-
Size
154KB
-
MD5
1c5909b8aa9e8dcf7c625a18879eaa9a
-
SHA1
29cfd468ee12d9746aeb935b8a30e7ee609ae3e5
-
SHA256
d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462
-
SHA512
b94ebf34fb81fc37564513a5671c2a936d9f5d3293ce5a8d451b41d857fd1c27d1b2e3efdfc48c39e1b66af6b57789d5115e79eaa10b170cf54f69011ed3bd09
-
SSDEEP
3072:GElIePztdwiyKaZP1Pgu6Pb7ZlSkBAU2J5mkAuPb14qla4o0aZu7vmEtazVjDo:JlR0iYV0fSiufmkAEh4qlaoa0zmE0zV3
Malware Config
Signatures
-
Detects executables packed with VMProtect. 2 IoCs
resource yara_rule behavioral2/memory/448-0-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/448-2-0x0000000010000000-0x0000000010076000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
resource yara_rule behavioral2/memory/448-0-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect behavioral2/memory/448-2-0x0000000010000000-0x0000000010076000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 448 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 672 wrote to memory of 448 672 rundll32.exe 80 PID 672 wrote to memory of 448 672 rundll32.exe 80 PID 672 wrote to memory of 448 672 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d6290657a4041d1f0ee647eb42a90aa0cde1c9c81fa3bc51b73f72fa58dce462.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:448
-