Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

a3feca9cee...cc.exe

windows7-x64

8

a3feca9cee...cc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2024, 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3feca9ceee93eacd57ac33485cadecc.exe

  • Size

    11KB

  • MD5

    a3feca9ceee93eacd57ac33485cadecc

  • SHA1

    8fb9c299de4517ab14165968b891bf117d43c754

  • SHA256

    1b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476

  • SHA512

    c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35

  • SSDEEP

    192:oEQ8aOqy470DLJpcmKwV7yKLpZYTL19xiLJy0hGsW:QeMYDXuhszYX19INhVW

Score
8/10
aspackv2evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 9 IoCs
  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe
    "C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3000
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\findstr.exe
        findstr /i /b "a3feca9ceee93eacd57ac33485cadecc.exe"
        3⤵
          PID:2576
        • C:\Windows\SysWOW64\v4xqrsma.exe
          C:\Windows\system32\v4xqrsma.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\SysWOW64\v4xqrsma.exe.bat
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\SysWOW64\attrib.exe
              attrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a +s +h
              5⤵
              • Sets file to hidden
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:2616
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2560
            • C:\Windows\SysWOW64\findstr.exe
              findstr /i /b "v4xqrsma.exe"
              5⤵
                PID:2248
              • C:\Windows\SysWOW64\v4xqrsma.exe
                C:\Windows\system32\v4xqrsma.exe
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2468
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 168
                  6⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2344
              • C:\Windows\SysWOW64\attrib.exe
                attrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a -s -h
                5⤵
                • Drops file in System32 directory
                • Views/modifies file attributes
                PID:2524
          • C:\Windows\SysWOW64\attrib.exe
            attrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a -s -h
            3⤵
            • Views/modifies file attributes
            PID:1400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat
        Filesize

        286B

        MD5

        aaa8689f21e0cb13f4ce7330b554cf19

        SHA1

        3606374bfdb52b62ec9c83e0c201e31a2caab793

        SHA256

        b0ff782a07dc3e7fe1047941e3364cbae2fc20a724618b7bb7aa74d61cefc186

        SHA512

        7078d7ededce638102ce7ed5b381dace8c9c3b9bfd8f93cacfde2ecf40b222b98a89ba7cf4e3dd63704ed04ebc7e66eddf2e44b51549a0e43db8a31fe6f1209f

        Download Submit

      • C:\Windows\SysWOW64\v4xqrsma.exe.bat
        Filesize

        238B

        MD5

        cbc305398dd7f272c7b788e0ce899599

        SHA1

        dc249bf238f78e528ee63634ddcfc0b7203603ba

        SHA256

        33537c3bf02f657a1bd8a21e43c463250468358e04948330d1ce16e1d26b0450

        SHA512

        80707b7ad486b855297f2991f67951d118f053536f81eec2e3d87d36c0185293923edb1be444346b42539424c32f046d6853f85abb2290d602755ea0abed663c

        Download Submit

      • \Windows\SysWOW64\v4xqrsma.exe
        Filesize

        11KB

        MD5

        a3feca9ceee93eacd57ac33485cadecc

        SHA1

        8fb9c299de4517ab14165968b891bf117d43c754

        SHA256

        1b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476

        SHA512

        c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35

        Download Submit

      • memory/2080-0-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2080-1-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2080-12-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2468-35-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2720-19-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2720-29-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2720-39-0x0000000000400000-0x000000000040ECCF-memory.dmp

        Filesize

        59KB

        Download

      • memory/2736-18-0x00000000000C0000-0x00000000000CF000-memory.dmp

        Filesize

        60KB

        Download

      • memory/2764-34-0x0000000000130000-0x000000000013F000-memory.dmp

        Filesize

        60KB

        Download