Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 14:16
Behavioral task
behavioral1
Sample
a3feca9ceee93eacd57ac33485cadecc.exe
Resource
win7-20240221-en
General
-
Target
a3feca9ceee93eacd57ac33485cadecc.exe
-
Size
11KB
-
MD5
a3feca9ceee93eacd57ac33485cadecc
-
SHA1
8fb9c299de4517ab14165968b891bf117d43c754
-
SHA256
1b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476
-
SHA512
c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35
-
SSDEEP
192:oEQ8aOqy470DLJpcmKwV7yKLpZYTL19xiLJy0hGsW:QeMYDXuhszYX19INhVW
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2028 attrib.exe 4200 attrib.exe -
resource yara_rule behavioral2/files/0x000300000001e96f-10.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 3464 v4xqrsma.exe 5012 v4xqrsma.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\v4xqrsma.exe a3feca9ceee93eacd57ac33485cadecc.exe File opened for modification C:\Windows\SysWOW64\v4xqrsma.exe.bat v4xqrsma.exe File opened for modification C:\Windows\SysWOW64\v4xqrsma.exe.bat attrib.exe File opened for modification C:\Windows\SysWOW64\v4xqrsma.exe a3feca9ceee93eacd57ac33485cadecc.exe File created C:\Windows\SysWOW64\v4xqrsma.exe v4xqrsma.exe File created C:\Windows\SysWOW64\v4xqrsma.exe.bat v4xqrsma.exe File opened for modification C:\Windows\SysWOW64\v4xqrsma.exe.bat v4xqrsma.exe File opened for modification C:\Windows\SysWOW64\v4xqrsma.exe.bat attrib.exe File created C:\Windows\SysWOW64\yox52v2z.exe v4xqrsma.exe File opened for modification C:\Windows\SysWOW64\yox52v2z.exe v4xqrsma.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4820 tasklist.exe 2900 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 tasklist.exe Token: SeDebugPrivilege 2900 tasklist.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2588 4244 a3feca9ceee93eacd57ac33485cadecc.exe 88 PID 4244 wrote to memory of 2588 4244 a3feca9ceee93eacd57ac33485cadecc.exe 88 PID 4244 wrote to memory of 2588 4244 a3feca9ceee93eacd57ac33485cadecc.exe 88 PID 2588 wrote to memory of 2028 2588 cmd.exe 90 PID 2588 wrote to memory of 2028 2588 cmd.exe 90 PID 2588 wrote to memory of 2028 2588 cmd.exe 90 PID 2588 wrote to memory of 4820 2588 cmd.exe 91 PID 2588 wrote to memory of 4820 2588 cmd.exe 91 PID 2588 wrote to memory of 4820 2588 cmd.exe 91 PID 2588 wrote to memory of 1260 2588 cmd.exe 92 PID 2588 wrote to memory of 1260 2588 cmd.exe 92 PID 2588 wrote to memory of 1260 2588 cmd.exe 92 PID 2588 wrote to memory of 3464 2588 cmd.exe 95 PID 2588 wrote to memory of 3464 2588 cmd.exe 95 PID 2588 wrote to memory of 3464 2588 cmd.exe 95 PID 2588 wrote to memory of 4852 2588 cmd.exe 96 PID 2588 wrote to memory of 4852 2588 cmd.exe 96 PID 2588 wrote to memory of 4852 2588 cmd.exe 96 PID 3464 wrote to memory of 1572 3464 v4xqrsma.exe 97 PID 3464 wrote to memory of 1572 3464 v4xqrsma.exe 97 PID 3464 wrote to memory of 1572 3464 v4xqrsma.exe 97 PID 1572 wrote to memory of 4200 1572 cmd.exe 99 PID 1572 wrote to memory of 4200 1572 cmd.exe 99 PID 1572 wrote to memory of 4200 1572 cmd.exe 99 PID 1572 wrote to memory of 2900 1572 cmd.exe 102 PID 1572 wrote to memory of 2900 1572 cmd.exe 102 PID 1572 wrote to memory of 2900 1572 cmd.exe 102 PID 1572 wrote to memory of 3532 1572 cmd.exe 101 PID 1572 wrote to memory of 3532 1572 cmd.exe 101 PID 1572 wrote to memory of 3532 1572 cmd.exe 101 PID 1572 wrote to memory of 5012 1572 cmd.exe 104 PID 1572 wrote to memory of 5012 1572 cmd.exe 104 PID 1572 wrote to memory of 5012 1572 cmd.exe 104 PID 1572 wrote to memory of 2612 1572 cmd.exe 105 PID 1572 wrote to memory of 2612 1572 cmd.exe 105 PID 1572 wrote to memory of 2612 1572 cmd.exe 105 PID 5012 wrote to memory of 2928 5012 v4xqrsma.exe 106 PID 5012 wrote to memory of 2928 5012 v4xqrsma.exe 106 PID 5012 wrote to memory of 2928 5012 v4xqrsma.exe 106 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 4852 attrib.exe 4200 attrib.exe 2612 attrib.exe 2028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe"C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2028
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i /b "a3feca9ceee93eacd57ac33485cadecc.exe"3⤵PID:1260
-
-
C:\Windows\SysWOW64\v4xqrsma.exeC:\Windows\system32\v4xqrsma.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\v4xqrsma.exe.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4200
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i /b "v4xqrsma.exe"5⤵PID:3532
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\v4xqrsma.exeC:\Windows\system32\v4xqrsma.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\v4xqrsma.exe.bat6⤵PID:2928
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a -s -h5⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2612
-
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a -s -h3⤵
- Views/modifies file attributes
PID:4852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
286B
MD5aaa8689f21e0cb13f4ce7330b554cf19
SHA13606374bfdb52b62ec9c83e0c201e31a2caab793
SHA256b0ff782a07dc3e7fe1047941e3364cbae2fc20a724618b7bb7aa74d61cefc186
SHA5127078d7ededce638102ce7ed5b381dace8c9c3b9bfd8f93cacfde2ecf40b222b98a89ba7cf4e3dd63704ed04ebc7e66eddf2e44b51549a0e43db8a31fe6f1209f
-
Filesize
11KB
MD5a3feca9ceee93eacd57ac33485cadecc
SHA18fb9c299de4517ab14165968b891bf117d43c754
SHA2561b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476
SHA512c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35
-
Filesize
238B
MD5cbc305398dd7f272c7b788e0ce899599
SHA1dc249bf238f78e528ee63634ddcfc0b7203603ba
SHA25633537c3bf02f657a1bd8a21e43c463250468358e04948330d1ce16e1d26b0450
SHA51280707b7ad486b855297f2991f67951d118f053536f81eec2e3d87d36c0185293923edb1be444346b42539424c32f046d6853f85abb2290d602755ea0abed663c
-
Filesize
238B
MD55948d980502a3813f9c4c442f14d6c50
SHA1c6e7d93aec032f494891217a4fdd741dd50d1bf9
SHA25619291484d9dfd1cd0bdd385a58f80fcad3af0ff36468d171f3cc43cb68fd275c
SHA512e422f4dd80e72a2a7b0e3e9e7c18e0f5b4de8d516610dff563dfe2a29bf1737866d1a2f176cf57038f191aad0f78683d362b9e128e3f73e56d598ddaefd68965