Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 00:53
Behavioral task
behavioral1
Sample
82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe
Resource
win10v2004-20240508-en
General
-
Target
82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe
-
Size
137KB
-
MD5
3e97f2a7c695073528e1a2c79a9080d4
-
SHA1
4e37ad1891c29a0e20c1a1dac896f0df038d9716
-
SHA256
82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5
-
SHA512
d7a76694b009abc25b5e4d5a6a30f2e6d452d7a12ce1dbe6e91fff653c70a4f81a777b3509f6a5bbd22328876a23d0d1f9e80dadaf1cf0f1947861cd1a827398
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6DsK:7907wTr9mea+i6WKQS
Malware Config
Signatures
-
Detects executables packed with ASPack 6 IoCs
resource yara_rule behavioral1/memory/2928-1-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2928-0-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0037000000016d3d-7.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/3044-9-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/3044-10-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/3044-11-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0037000000016d3d-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3044 gugcane.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\gugcane.exe 82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe File created C:\PROGRA~3\Mozilla\zynbtfl.dll gugcane.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2928 82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe 3044 gugcane.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2648 wrote to memory of 3044 2648 taskeng.exe 29 PID 2648 wrote to memory of 3044 2648 taskeng.exe 29 PID 2648 wrote to memory of 3044 2648 taskeng.exe 29 PID 2648 wrote to memory of 3044 2648 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe"C:\Users\Admin\AppData\Local\Temp\82347e873828be07ca4eb76a971467fa77146f088e6111a82b34b06a55a8b7e5.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2928
-
C:\Windows\system32\taskeng.exetaskeng.exe {4E1FA062-DDC1-4D87-9369-4D362D71C681} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\PROGRA~3\Mozilla\gugcane.exeC:\PROGRA~3\Mozilla\gugcane.exe -eoikpie2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD545b5501528e775d53e671df40f43699a
SHA1403bca161c1e3aa99d7229155d46aec0d571d7d6
SHA2561d0ae605a3ee22b328827592561fca70ceee68f7a066044a2969b137fc5dc632
SHA512bd999ab0cce142c927fccaf53a5cc1f11d9d1012757dcdb80758bfb228ae54fafea3bbedbe4621f890ecca2d453e769508953af7405171bf76ab3691a61a0abc