Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
48acc010b209323240e80238063b8164.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
48acc010b209323240e80238063b8164.exe
Resource
win10v2004-20231215-en
General
-
Target
48acc010b209323240e80238063b8164.exe
-
Size
108KB
-
MD5
48acc010b209323240e80238063b8164
-
SHA1
db8c5fe801534cc103a5519a9389f82be4b028b7
-
SHA256
eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0
-
SHA512
467b6f80f5e80f911c7ab2002968d6b2300d040d8801272d695b0fbf0d565d5010351235b801b5f0094cb44976995e9edbaf8a55569349c7330a94a7137e608f
-
SSDEEP
1536:mjLaMv3xnCwNz0DxkJ0PpKtzz0imm6g5ckJUD1LZ38hqiDsIxI9He2q0T6ow4U6:meYBCwqDxkJKpqjoOklZ4DzI02DHwa
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\fnbekx63.sys Setup.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00060000000231f9-7.dat acprotect behavioral2/files/0x00060000000231f8-11.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 4608 Setup.exe -
Loads dropped DLL 3 IoCs
pid Process 636 regsvr32.exe 4836 rundll32.exe 2872 48acc010b209323240e80238063b8164.exe -
resource yara_rule behavioral2/files/0x00060000000231f9-7.dat upx behavioral2/files/0x00060000000231f8-11.dat upx behavioral2/memory/636-15-0x0000000010000000-0x0000000010017000-memory.dmp upx behavioral2/memory/4836-18-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/2872-20-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/4836-22-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\winekx63.dll Setup.exe File opened for modification C:\Windows\SysWOW64\winekx63.dll Setup.exe File created C:\Windows\SysWOW64\fnbekx63.dll Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4368 636 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 rundll32.exe 4836 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4836 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4836 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4608 2872 48acc010b209323240e80238063b8164.exe 87 PID 2872 wrote to memory of 4608 2872 48acc010b209323240e80238063b8164.exe 87 PID 2872 wrote to memory of 4608 2872 48acc010b209323240e80238063b8164.exe 87 PID 4608 wrote to memory of 636 4608 Setup.exe 90 PID 4608 wrote to memory of 636 4608 Setup.exe 90 PID 4608 wrote to memory of 636 4608 Setup.exe 90 PID 4608 wrote to memory of 4836 4608 Setup.exe 95 PID 4608 wrote to memory of 4836 4608 Setup.exe 95 PID 4608 wrote to memory of 4836 4608 Setup.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe"C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe" 48acc010b209323240e80238063b8164 /s2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\system32\winekx63.dll"3⤵
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 6084⤵
- Program crash
PID:4368
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\system32\fnbekx63.dll",StartByHostEx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 6361⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5f0ed35df7868e035ef4d24f4ed2275df
SHA10311ced9b0fc9d48cbca3c82a20e6a69ad634224
SHA256c29aacebd737d8dc4a04ede748feb2015653e5be849df503116579be877c4a1f
SHA5129996bcc542e42b44c77a0577710320330781499a82a75f1d2a485c12426e6662266f1cf350b899ed346509f3949e97734fdc0847703c41eeecc8c707200ccc2c
-
Filesize
31KB
MD5dc7a726988c0fd975c6289f4a10f7f4a
SHA16d1ac62e4cf452e750e8280e52a0289815a91fe0
SHA2562590fbb815f0ff0ad462d97bc888ec444d3f96f33b8b9b03d3201d4c5d19117e
SHA512282c052261341e0523a2424784b2fafa32250fce2b8bdc4a399bf52ddf3f3fe00a6f29b9098e8c3362cc073c7498a368ebf4b5c1725fbb195372c369afe7b7b3
-
Filesize
32KB
MD54b9c0a72a21e2302499f9205691d4d97
SHA1c832ead6f4e0e8850246072920ed05891d8adcfc
SHA2567dea44ae86ac4217c78a6ce3a662dc74c26a5b7ed8dfcb381acb7f70629def40
SHA512989ddca552974b919d892d3fb7b30ff252dac55e06a9f6dd173982537fb48ea581ba96f40d099f8f9149b294ff7444ba245f11deabf60ca2b65cf2199b049827
-
Filesize
44KB
MD5662efb61c90b91e9bccc9b88c47b8514
SHA149bf37470ffe9ee5beb66a872212a533365d5b1b
SHA25658bedb0c116624d77201fa0d6baf6211da9c7071ea239ce1e6040d1026f3005a
SHA5124bf7e8634fcc8f153392d08704ce22f48720321d724a8efbd3c35be63d5c2842fca94163c1e156a03606c4ec6c801deaed5982ff7487b38c54b289a715511939