Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 23:30
Behavioral task
behavioral1
Sample
a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe
Resource
win10v2004-20240226-en
General
-
Target
a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe
-
Size
178KB
-
MD5
5149131598da41edc109bae5d2912563
-
SHA1
db21582afb41ab861eb7c40cc2320fdaecb346b3
-
SHA256
a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4
-
SHA512
8def3f506d0f20c035310be2847f13c9740e95fb094e1cd6e066ab3a001efce066dd993078ad924c8db46168806ee5a7ce8020005a8f0b9d6004490f075b9537
-
SSDEEP
3072:+Yubs4vIPfIOKyCRfyJiJJMXybJg30TZZ+MbpqdNjfBDckH8sbigzwQj1O:Puk6fK6tixMbwNL+kDrI
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral1/memory/2648-0-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2648-2-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2648-1-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x002a000000015c3c-8.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2984-10-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x002a000000015c3c-8.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2984 tbckyxk.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\tbckyxk.exe a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe File created C:\PROGRA~3\Mozilla\newtrln.dll tbckyxk.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2648 a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe 2984 tbckyxk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2984 2992 taskeng.exe 29 PID 2992 wrote to memory of 2984 2992 taskeng.exe 29 PID 2992 wrote to memory of 2984 2992 taskeng.exe 29 PID 2992 wrote to memory of 2984 2992 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"C:\Users\Admin\AppData\Local\Temp\a146b753ac67bd29bea524625bc84ee179a8e41f30128c384c3e812c5a1fb7e4.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2648
-
C:\Windows\system32\taskeng.exetaskeng.exe {6494064D-41D5-4A06-9565-9ECA20CCDD9F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\PROGRA~3\Mozilla\tbckyxk.exeC:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178KB
MD534ac307216774702e454df3fa7b1fbce
SHA1c6eaa00f20deffd11f2bfa15641b714becf0eaf4
SHA2569d04f9cd1f8d0ea52bbef222bf28d781221ac22f02b6f124d4861fee92064144
SHA512f31593308e62a8608b94e9d31bcb6da1500c1ce4496ba9a8db3f4f44dc5331bd012d28e29cebdfc721787bd5eaaf6baf90556cee60945edb438949108c216f1f