Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 14:16

General

  • Target

    a3feca9ceee93eacd57ac33485cadecc.exe

  • Size

    11KB

  • MD5

    a3feca9ceee93eacd57ac33485cadecc

  • SHA1

    8fb9c299de4517ab14165968b891bf117d43c754

  • SHA256

    1b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476

  • SHA512

    c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35

  • SSDEEP

    192:oEQ8aOqy470DLJpcmKwV7yKLpZYTL19xiLJy0hGsW:QeMYDXuhszYX19INhVW

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 10 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe
    "C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2028
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
      • C:\Windows\SysWOW64\findstr.exe
        findstr /i /b "a3feca9ceee93eacd57ac33485cadecc.exe"
        3⤵
          PID:1260
        • C:\Windows\SysWOW64\v4xqrsma.exe
          C:\Windows\system32\v4xqrsma.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3464
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\v4xqrsma.exe.bat
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\SysWOW64\attrib.exe
              attrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a +s +h
              5⤵
              • Sets file to hidden
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:4200
            • C:\Windows\SysWOW64\findstr.exe
              findstr /i /b "v4xqrsma.exe"
              5⤵
                PID:3532
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2900
              • C:\Windows\SysWOW64\v4xqrsma.exe
                C:\Windows\system32\v4xqrsma.exe
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:5012
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\v4xqrsma.exe.bat
                  6⤵
                    PID:2928
                • C:\Windows\SysWOW64\attrib.exe
                  attrib C:\Windows\SysWOW64\v4xqrsma.exe.bat -r -a -s -h
                  5⤵
                  • Drops file in System32 directory
                  • Views/modifies file attributes
                  PID:2612
            • C:\Windows\SysWOW64\attrib.exe
              attrib C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat -r -a -s -h
              3⤵
              • Views/modifies file attributes
              PID:4852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a3feca9ceee93eacd57ac33485cadecc.exe.bat

          Filesize

          286B

          MD5

          aaa8689f21e0cb13f4ce7330b554cf19

          SHA1

          3606374bfdb52b62ec9c83e0c201e31a2caab793

          SHA256

          b0ff782a07dc3e7fe1047941e3364cbae2fc20a724618b7bb7aa74d61cefc186

          SHA512

          7078d7ededce638102ce7ed5b381dace8c9c3b9bfd8f93cacfde2ecf40b222b98a89ba7cf4e3dd63704ed04ebc7e66eddf2e44b51549a0e43db8a31fe6f1209f

        • C:\Windows\SysWOW64\v4xqrsma.exe

          Filesize

          11KB

          MD5

          a3feca9ceee93eacd57ac33485cadecc

          SHA1

          8fb9c299de4517ab14165968b891bf117d43c754

          SHA256

          1b8ed464167fe9119209e5184e9206a6783daffb96ced01208d253459016c476

          SHA512

          c6e514b51a1f80012f316bc66e4eca2c10643655473022008f72b2d64ef3edcb5abb144e7b9e3c0c09ca4b178c28ba66ef624c11deceba0566ba210bbc799e35

        • C:\Windows\SysWOW64\v4xqrsma.exe.bat

          Filesize

          238B

          MD5

          cbc305398dd7f272c7b788e0ce899599

          SHA1

          dc249bf238f78e528ee63634ddcfc0b7203603ba

          SHA256

          33537c3bf02f657a1bd8a21e43c463250468358e04948330d1ce16e1d26b0450

          SHA512

          80707b7ad486b855297f2991f67951d118f053536f81eec2e3d87d36c0185293923edb1be444346b42539424c32f046d6853f85abb2290d602755ea0abed663c

        • C:\Windows\SysWOW64\v4xqrsma.exe.bat

          Filesize

          238B

          MD5

          5948d980502a3813f9c4c442f14d6c50

          SHA1

          c6e7d93aec032f494891217a4fdd741dd50d1bf9

          SHA256

          19291484d9dfd1cd0bdd385a58f80fcad3af0ff36468d171f3cc43cb68fd275c

          SHA512

          e422f4dd80e72a2a7b0e3e9e7c18e0f5b4de8d516610dff563dfe2a29bf1737866d1a2f176cf57038f191aad0f78683d362b9e128e3f73e56d598ddaefd68965

        • memory/3464-16-0x0000000000400000-0x000000000040ECCF-memory.dmp

          Filesize

          59KB

        • memory/4244-0-0x0000000000400000-0x000000000040ECCF-memory.dmp

          Filesize

          59KB

        • memory/4244-1-0x0000000000400000-0x000000000040ECCF-memory.dmp

          Filesize

          59KB

        • memory/4244-7-0x0000000000400000-0x000000000040ECCF-memory.dmp

          Filesize

          59KB

        • memory/5012-24-0x0000000000400000-0x000000000040ECCF-memory.dmp

          Filesize

          59KB