Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe
Resource
win10v2004-20240226-en
General
-
Target
6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe
-
Size
112KB
-
MD5
94a142e964fe99275a4154e73e2f6d9e
-
SHA1
2301d5ec286e48a3ab2d6827dc0a2f0519dfacff
-
SHA256
6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476
-
SHA512
4b7704b16b9fd81f77378e016a8509ebd0ca47811555d7c05a1043a00303f428725cbfbcaf377f62c1ca81e8bdbee8b5530ccc56cda9eebefd9aa0f1ce935812
-
SSDEEP
3072:bigRqGiY/IA8wD5iZ4gKczBxGV6+UIXlaMA+uzlCP:yw/IFwDox+UGg5XzlCP
Malware Config
Signatures
-
Detects executables built or packed with MPress PE compressor 4 IoCs
resource yara_rule behavioral1/memory/1932-0-0x0000000000400000-0x000000000042C000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1932-7-0x0000000000400000-0x000000000042C000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000b000000014aec-8.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1664-16-0x0000000000400000-0x000000000042C000-memory.dmp INDICATOR_EXE_Packed_MPress -
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1664 tbckyxk.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\tbckyxk.exe 6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe File created C:\PROGRA~3\Mozilla\newtrln.dll tbckyxk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1664 1760 taskeng.exe 29 PID 1760 wrote to memory of 1664 1760 taskeng.exe 29 PID 1760 wrote to memory of 1664 1760 taskeng.exe 29 PID 1760 wrote to memory of 1664 1760 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"1⤵
- Drops file in Program Files directory
PID:1932
-
C:\Windows\system32\taskeng.exetaskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\PROGRA~3\Mozilla\tbckyxk.exeC:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5585397c50bdfbdc3cac8f48d28d95c2e
SHA17e4d49a08dd5b80d604cafc6b257706ae3753a3d
SHA256c1d9cefb0735008ad5db3f1e4e5d0a5135faa27896e2cda16ce8f2e881904abd
SHA512af0e6084efdd9f18475513ffe33b27fb0c2eac90541c4327a848b76e2bf68c8c683cc066e2a637baf0c88c2d297825defb7109d7cf6bc137e5d2a153d95d8e8e