Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 10:00

General

  • Target

    48acc010b209323240e80238063b8164.exe

  • Size

    108KB

  • MD5

    48acc010b209323240e80238063b8164

  • SHA1

    db8c5fe801534cc103a5519a9389f82be4b028b7

  • SHA256

    eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0

  • SHA512

    467b6f80f5e80f911c7ab2002968d6b2300d040d8801272d695b0fbf0d565d5010351235b801b5f0094cb44976995e9edbaf8a55569349c7330a94a7137e608f

  • SSDEEP

    1536:mjLaMv3xnCwNz0DxkJ0PpKtzz0imm6g5ckJUD1LZ38hqiDsIxI9He2q0T6ow4U6:meYBCwqDxkJKpqjoOklZ4DzI02DHwa

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe
    "C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe" 48acc010b209323240e80238063b8164 /s
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Windows\system32\winekx63.dll"
        3⤵
        • Loads dropped DLL
        PID:636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 608
          4⤵
          • Program crash
          PID:4368
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Windows\system32\fnbekx63.dll",StartByHostEx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:4836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 636
    1⤵
      PID:4664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hostA\A\a.sys

      Filesize

      12KB

      MD5

      f0ed35df7868e035ef4d24f4ed2275df

      SHA1

      0311ced9b0fc9d48cbca3c82a20e6a69ad634224

      SHA256

      c29aacebd737d8dc4a04ede748feb2015653e5be849df503116579be877c4a1f

      SHA512

      9996bcc542e42b44c77a0577710320330781499a82a75f1d2a485c12426e6662266f1cf350b899ed346509f3949e97734fdc0847703c41eeecc8c707200ccc2c

    • C:\Users\Admin\AppData\Local\Temp\hostA\A\staA.dll

      Filesize

      31KB

      MD5

      dc7a726988c0fd975c6289f4a10f7f4a

      SHA1

      6d1ac62e4cf452e750e8280e52a0289815a91fe0

      SHA256

      2590fbb815f0ff0ad462d97bc888ec444d3f96f33b8b9b03d3201d4c5d19117e

      SHA512

      282c052261341e0523a2424784b2fafa32250fce2b8bdc4a399bf52ddf3f3fe00a6f29b9098e8c3362cc073c7498a368ebf4b5c1725fbb195372c369afe7b7b3

    • C:\Users\Admin\AppData\Local\Temp\hostA\A\winA.dll

      Filesize

      32KB

      MD5

      4b9c0a72a21e2302499f9205691d4d97

      SHA1

      c832ead6f4e0e8850246072920ed05891d8adcfc

      SHA256

      7dea44ae86ac4217c78a6ce3a662dc74c26a5b7ed8dfcb381acb7f70629def40

      SHA512

      989ddca552974b919d892d3fb7b30ff252dac55e06a9f6dd173982537fb48ea581ba96f40d099f8f9149b294ff7444ba245f11deabf60ca2b65cf2199b049827

    • C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe

      Filesize

      44KB

      MD5

      662efb61c90b91e9bccc9b88c47b8514

      SHA1

      49bf37470ffe9ee5beb66a872212a533365d5b1b

      SHA256

      58bedb0c116624d77201fa0d6baf6211da9c7071ea239ce1e6040d1026f3005a

      SHA512

      4bf7e8634fcc8f153392d08704ce22f48720321d724a8efbd3c35be63d5c2842fca94163c1e156a03606c4ec6c801deaed5982ff7487b38c54b289a715511939

    • memory/636-15-0x0000000010000000-0x0000000010017000-memory.dmp

      Filesize

      92KB

    • memory/2872-20-0x0000000010000000-0x000000001001E000-memory.dmp

      Filesize

      120KB

    • memory/4836-18-0x0000000010000000-0x000000001001E000-memory.dmp

      Filesize

      120KB

    • memory/4836-22-0x0000000010000000-0x000000001001E000-memory.dmp

      Filesize

      120KB