Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 17:21
Behavioral task
behavioral1
Sample
077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe
Resource
win10v2004-20240226-en
General
-
Target
077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe
-
Size
137KB
-
MD5
4525e64f5328bdb452c0729e30fa7b6b
-
SHA1
236d4266fe130988f9a9bb96b4f3e505926d1399
-
SHA256
077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb
-
SHA512
e620047b039c15a5381f331bf349acd27cc9cb7fa2206e6662a80cdada8306ec6c36fe07ee1d163a582c2660e1c09144d5becfdf6657232103aaf5890a853701
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6Ds2:7907wTr9mea+i6WKQu
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral1/memory/1664-0-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1664-1-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1664-2-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0020000000014fe1-8.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2916-10-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0020000000014fe1-8.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2916 tbckyxk.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\tbckyxk.exe 077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe File created C:\PROGRA~3\Mozilla\newtrln.dll tbckyxk.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1664 077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe 2916 tbckyxk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2916 2532 taskeng.exe 29 PID 2532 wrote to memory of 2916 2532 taskeng.exe 29 PID 2532 wrote to memory of 2916 2532 taskeng.exe 29 PID 2532 wrote to memory of 2916 2532 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe"C:\Users\Admin\AppData\Local\Temp\077c87a5c026f03db25d6c3da7cf2ef2ea328132055e06cfd0eb70ad56ee3bbb.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1664
-
C:\Windows\system32\taskeng.exetaskeng.exe {715C2B8C-FAF5-4E97-BAB7-D07B04A4C709} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\PROGRA~3\Mozilla\tbckyxk.exeC:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD53dcf34ed8f19576e5a7858b2cc126d9c
SHA175d35a663de0253cfa92530780755496283c2466
SHA25662bae230516d405e8d300f76ee4959b298c49fd0671530fdc1f01a7510f7a588
SHA51286425c7a09d17b242271cb5659573cef889c72513df5a75b7d47fd17f8a7027ef1da523bb3abc572132cc9927eff07618ee3c0718b7de8b5bb2a380327b71e6a