7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2.exe
Size

221KB
MD5

92373746b48cb18d57ac9f3caffc0f7d
SHA1

c938e13943df7a59ade5922a2858a90929054815
SHA256

7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2
SHA512

9e9579482382a21843cb405fa86f5b690aa01a20f71b3fd269982df428fb8e5c58c4aa18d610d86abf332ca5b9a6b32095f07f6d52042d678fa8643c23ef25a5
SSDEEP

3072:EaM74bUOTAjzX7qZ8lUJq8qallDmNcB2xwD8q1JFFGAXfUCXHSRckb5c2gL:544b7czqmlKa08qvFsRcTH

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with ASPack 2 IoCs

resource	yara_rule
behavioral1/memory/1612-0-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x00090000000143d1-6.dat	INDICATOR_EXE_Packed_ASPack

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1640	tbckyxk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2.exe
File created	C:\PROGRA~3\Mozilla\newtrln.dll	tbckyxk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1612	7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2.exe
1640	tbckyxk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1640	2508	taskeng.exe	29
PID 2508 wrote to memory of 1640	2508	taskeng.exe	29
PID 2508 wrote to memory of 1640	2508	taskeng.exe	29
PID 2508 wrote to memory of 1640	2508	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2.exe
"C:\Users\Admin\AppData\Local\Temp\7b5a28146cf2884c39e62a69c61931c6a485ca629410902e53d953ec53b2b7a2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1612

C:\Windows\system32\taskeng.exe
taskeng.exe {3E687DC3-9CEE-499A-A5B3-0E857E868036} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
221KB

MD5
22126b790fbd2c70d142eed7b82cd53a

SHA1
3b3995c259341b0342672bfd302954a06214d535

SHA256
a91676296f935d74bc84f97d2bc493751124403c4bd43a6935924ad9a6065fa8

SHA512
849e1aec3d56e641a4f7aff6188c751b91baac03af155ec3eda67d705e93d59a6e15fb88f482ac892798827b9e9582f3dd62723c4e380da7f7d4bd59080c34e0

Download Submit
memory/1612-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1612-1-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/1612-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1612-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1612-5-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/1640-8-0x00000000008C0000-0x000000000091B000-memory.dmp

Filesize
364KB

Download
memory/1640-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1640-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download