Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 18:35
Behavioral task
behavioral1
Sample
87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4N.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4N.dll
Resource
win10v2004-20241007-en
General
-
Target
87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4N.dll
-
Size
203KB
-
MD5
e21da323875e9c39f8f5a75914acc580
-
SHA1
48b373353abdc83662b3fff1f41319422ca4e46a
-
SHA256
87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4
-
SHA512
60d3fa76b209e43531328bb4b179a8a953435615f5cac1f476a3d5f42eb6d637a82c2e305ecda1db05c6ea9a5637f73100a7cc125caea561547fc8fe95bab8cf
-
SSDEEP
3072:aJ8IMILmCa3yx6oFEdgVXnF6C9Ugfxm32n7SpiMAfXB3:5kmCaiEoFEd+F3txm2SpiMgl
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral2/memory/4804-0-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/4804-1-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2752 4804 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4804 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4804 2124 rundll32.exe 83 PID 2124 wrote to memory of 4804 2124 rundll32.exe 83 PID 2124 wrote to memory of 4804 2124 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87ba434eb8453dd4abe002e1207287980e12abed2b4f87839456f5ebeca698f4N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 6683⤵
- Program crash
PID:2752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4804 -ip 48041⤵PID:4500