Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 17:07
Behavioral task
behavioral1
Sample
4646dae63c1736a30132816e39bd05ef65dbe2bc48578bdd383968d1c23ca080.dll
Resource
win7-20240903-en
General
-
Target
4646dae63c1736a30132816e39bd05ef65dbe2bc48578bdd383968d1c23ca080.dll
-
Size
319KB
-
MD5
7816aee85a8d900b25aee2c809868174
-
SHA1
d80c2897f379160588f3849bafd84fbc9ee62c69
-
SHA256
4646dae63c1736a30132816e39bd05ef65dbe2bc48578bdd383968d1c23ca080
-
SHA512
bc359505eec8385796f754d549d0d164c1f97bbd9f294242210d0b29ebd71164790f86d8225e62cb7034e9bf3ff7a07c4790aba2a76ab0b9c39b0aad45ed45b2
-
SSDEEP
6144:jo13uzsJijdkhMjjGvMPBITgp5+2gJPl3MKB4y72/0qCGoS:jodu4ejjGMIT920PBMKB4y7TGoS
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2484-0-0x0000000010000000-0x0000000010111000-memory.dmp upx behavioral2/memory/2484-1-0x0000000010000000-0x0000000010111000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 4268 2484 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2484 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2484 2816 rundll32.exe 83 PID 2816 wrote to memory of 2484 2816 rundll32.exe 83 PID 2816 wrote to memory of 2484 2816 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4646dae63c1736a30132816e39bd05ef65dbe2bc48578bdd383968d1c23ca080.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4646dae63c1736a30132816e39bd05ef65dbe2bc48578bdd383968d1c23ca080.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 6923⤵
- Program crash
PID:4268
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2484 -ip 24841⤵PID:1480