Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/08/2024, 17:13
240817-vrw6lazdqj 317/08/2024, 17:13
240817-vrj62azdnp 317/08/2024, 17:06
240817-vmkl1awglg 3Analysis
-
max time kernel
15s -
max time network
24s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
17/08/2024, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
kms_pico_fake_dll.dll
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
kms_pico_fake_dll.dll
Resource
win11-20240802-en
General
-
Target
kms_pico_fake_dll.dll
-
Size
2.4MB
-
MD5
2dd6d74189ce256e6bcb088d7a3ee29c
-
SHA1
47f3618d4f68a8cf1c9eda3b6b18e8b8e721ced3
-
SHA256
fa337f53515da48c0134af74cf3b2d557c562b6ff4a8262bcb347cf4aecbfb4a
-
SHA512
c232e6b3258ca7387b923ca781f84b65490b11570474ea3355083a13dcef0699d16ef370fd04b01befdf6aa39275f2b097f83bc9ac03c06bf8bf1a9fe70ced64
-
SSDEEP
49152:Dh39oIisk10LW6O+eTFtQkhBTK0oxjzTqNdj4lt+IIf+vjxV4Ye3X:DEf10LteTFikhBTK0kXTqjj4l3vHy3
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4296 wrote to memory of 212 4296 rundll32.exe 70 PID 4296 wrote to memory of 212 4296 rundll32.exe 70 PID 4296 wrote to memory of 212 4296 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kms_pico_fake_dll.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kms_pico_fake_dll.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:212
-