Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    StartAllBack.v3.7.9.exe

  • Size

    3.4MB

  • Sample

    240509-far3zsea42

  • MD5

    cfa05e668d40141a0962f8cd63834294

  • SHA1

    8e62d099cd181f3bbe644e3d5a0a264ad2ecce92

  • SHA256

    68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e

  • SHA512

    59adde381e178a9f291d5585ac37a4c1789be2d20d94f81290ad66c471964b18369d6f9143caa9915ad27334ce518e39e39a331d174fecd282b4b949bbc85d6a

  • SSDEEP

    98304:2k8H3G0wUxHEfGNH8iYAxvlD5H2Lz8sC2Wn66Hsn4O:2T6pGNH8yxN5Huz7CTO

Malware Config

Targets

    • Target

      StartAllBack.v3.7.9.exe

    • Size

      3.4MB

    • MD5

      cfa05e668d40141a0962f8cd63834294

    • SHA1

      8e62d099cd181f3bbe644e3d5a0a264ad2ecce92

    • SHA256

      68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e

    • SHA512

      59adde381e178a9f291d5585ac37a4c1789be2d20d94f81290ad66c471964b18369d6f9143caa9915ad27334ce518e39e39a331d174fecd282b4b949bbc85d6a

    • SSDEEP

      98304:2k8H3G0wUxHEfGNH8iYAxvlD5H2Lz8sC2Wn66Hsn4O:2T6pGNH8yxN5Huz7CTO

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      11092c1d3fbb449a60695c44f9f3d183

    • SHA1

      b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    • SHA256

      2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    • SHA512

      c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    • SSDEEP

      96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA

    Score
    3/10
    • Target

      $PROGRAMFILES/StartIsBack/Orbs/Shamrock.orb

    • Size

      295KB

    • MD5

      ef55e07e1a2e47bb2bb749046cd150b2

    • SHA1

      68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa

    • SHA256

      1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5

    • SHA512

      9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e

    • SSDEEP

      1536:CFafTY/SHWgaaQSKCufuCk4d8/YDHDIHsZw893lUsne0CS/W/CP98jNPNrku/S/d:CgfTYknuh5BxlUs0S/CR2/Ezg7

    Score
    1/10
    • Target

      $PROGRAMFILES/StartIsBack/Orbs/Windows 7.orb

    • Size

      295KB

    • MD5

      85328e698e8a74852b4061a683915dc8

    • SHA1

      b898267f8574a34e6d605e541e5234c27dd53f5d

    • SHA256

      e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

    • SHA512

      03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

    • SSDEEP

      3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT

    Score
    1/10
    • Target

      $PROGRAMFILES/StartIsBack/UpdateCheck.exe

    • Size

      3KB

    • MD5

      f9756c261aa978c787302debff8f142a

    • SHA1

      81b5b130741d5df2feccd67bb6edb1a9d08d48aa

    • SHA256

      a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319

    • SHA512

      20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/Orbs/Shamrock.orb

    • Size

      295KB

    • MD5

      ef55e07e1a2e47bb2bb749046cd150b2

    • SHA1

      68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa

    • SHA256

      1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5

    • SHA512

      9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e

    • SSDEEP

      1536:CFafTY/SHWgaaQSKCufuCk4d8/YDHDIHsZw893lUsne0CS/W/CP98jNPNrku/S/d:CgfTYknuh5BxlUs0S/CR2/Ezg7

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/Orbs/Windows 7.orb

    • Size

      295KB

    • MD5

      85328e698e8a74852b4061a683915dc8

    • SHA1

      b898267f8574a34e6d605e541e5234c27dd53f5d

    • SHA256

      e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

    • SHA512

      03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

    • SSDEEP

      3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/StartIsBack32.dll

    • Size

      563KB

    • MD5

      e4b19c388cf6d649053e7f018388b9a4

    • SHA1

      9114450f106c4e274c335f4e5d41fe40380a9607

    • SHA256

      6405b9ad8b1557381de5a3d51502f408891283ba22ad45166343261e703bee07

    • SHA512

      f990a6765a3bc8c3d36d8617e68237d83cd2cca4e05a71389f4381e6ef8b2c96cc9f04a6f9db74a9af95f30bfd36c72394acff8718e8ab6d16581eafd68ab51e

    • SSDEEP

      12288:1SEyvDUMVQfYllJs97b3xrtlyXWM59+2cCGM7VxA:wEyvDUMVQfalJs7bhtlyjI2e4O

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/StartIsBack64.dll

    • Size

      667KB

    • MD5

      7ca847e6522f074352eadc0b62eb3399

    • SHA1

      84fadc794964373f4098a474c3829d5d1953e07a

    • SHA256

      584d631fa9f62873409cc51777fbbe8df673887a8af0a092d4b0523da512e577

    • SHA512

      6c0e8a38a394309fcbb66d9da372cd35114b5a0aea397324f629fbb18866eaa934119483d5048dcb487377cd2d47d85ee23611aae84947a025b494a53bfcd20a

    • SSDEEP

      12288:OEwKiIRJBYUYiyx51FHh3xb/zybraHM+/qWGgbF:OEPiIRJBYUYiyx5/hhCbrsqWGgbF

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/StartIsBackCfg.exe

    • Size

      2.3MB

    • MD5

      54873041460fa7a27cfb5008239e11f9

    • SHA1

      c4fd1fa77a5e079f19cfaed945a83b65bc55431a

    • SHA256

      3b946870b669af9837a27204e72ebe8e42a3503a6ee4da3822672ff54bdad0c5

    • SHA512

      78fc2b84dc42e86bec9e802f6a96a3507802a033b54429ac0d2c65b726edfb0dc3ee1cf5c57dde455a5ffa36b49ebf9c1ff4335b5b7fab70b9609d903e59ca8a

    • SSDEEP

      12288:3P7XcuNzOo7oFYyWxmF9LOFDfMKmm6/5UcVvmAMeJ62LzmHbNvnnnnnnnnn/m94v:/guhXsYycmzGkKmmX3ABxLzmuzF

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/Styles/Plain10.msstyles

    • Size

      48KB

    • MD5

      a69385279536210958fb9c86cab229d6

    • SHA1

      6ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d

    • SHA256

      3955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed

    • SHA512

      f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412

    • SSDEEP

      384:JijF/fRDk7ntZ6ITwfNAGPEVNqavB+m43+55lgirNr3all7IQsIUuIUU+ZZxVAKi:JAtv4sSlO6NH

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/Styles/Plain8.msstyles

    • Size

      118KB

    • MD5

      509fd060516d1971da8d0c2173748358

    • SHA1

      67ccd63914312b1f491467bec42232916df109c7

    • SHA256

      43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442

    • SHA512

      de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6

    • SSDEEP

      1536:JrsDH9XYblumhuRSPvu8QhVPCQtGwMlw:JrkH9cumhuRSXIhVPCpwMlw

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/Styles/Windows 7.msstyles

    • Size

      405KB

    • MD5

      b6a2892c151ccd59d0b4c4c1777daac5

    • SHA1

      b34791b4db3956620dffb2e11e1fa160e2d20889

    • SHA256

      0c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8

    • SHA512

      e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae

    • SSDEEP

      6144:e7hUvZn7daDTzgMigyWI12lnCtROpUHQYPxcqe:mhOZ7Qzg/RXthz

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/UpdateCheck.exe

    • Size

      3KB

    • MD5

      f9756c261aa978c787302debff8f142a

    • SHA1

      81b5b130741d5df2feccd67bb6edb1a9d08d48aa

    • SHA256

      a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319

    • SHA512

      20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3

    Score
    1/10
    • Target

      $PROGRAMFILES64/StartAllBack/startscreen.exe

    • Size

      71KB

    • MD5

      a2d6e2201be02973328038457aa64bba

    • SHA1

      684338bd758a92449d43c49a0aa539f323760215

    • SHA256

      f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0

    • SHA512

      21002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135

    • SSDEEP

      768:cH8C2KZJVCso1iFS4dA38XFKw/v5lUcB6VC2Tl4GLxEFiRS:or5VcUdA32FfvIC6Z2GLxeio

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/DarkMagicLoaderX64.exe

    • Size

      13KB

    • MD5

      31a0c563a06323fee612df2dd801add2

    • SHA1

      d67e3ff1d9ec9c791cae0f90a2d75b8d47d0f678

    • SHA256

      3c38890144061a23c3322720edcd0866261d25c8763836e773bd5b082dacbe72

    • SHA512

      3978b636594455dccf4a351b1c16a314a4e41777cd8466d68a6e78168ff4bc3c402a5cb90d45978dafea7e90e750a2bec6922a682fa209793607ce1496d637da

    • SSDEEP

      192:3TaBb69WU9F6M/YmTveDcPnnCjdAA1m5IxV6hJzsPmHkuug:3OBbAWuFRHvSQnCjdAA1m5wMzsPudL

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/DarkMagicLoaderX86.exe

    • Size

      13KB

    • MD5

      53b24dfaaf02118c913e662dbc48acaf

    • SHA1

      66d61ca3a78edc09cd78e57a2edbd03a0dde6176

    • SHA256

      9cb9d09799d03d14c58c67521488395a06b084f5d8cece7a45acfd15ffbccada

    • SHA512

      774efc66c71d02966d0f8961439476e5de4942f4095a760f7928c9de0d3c0f42d371bbe73ddedac1490ec678c7f3f812615896470893423c3b41251fa7cdc1db

    • SSDEEP

      192:CbrWU9F6M/YmTveDcYDeVCjdAA1m5IxV6hJzsPmHkyjI:CbrWuFRHvSrDeVCjdAA1m5wMzsPudM

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/DarkMagicX64.dll

    • Size

      156KB

    • MD5

      106a8be32845eeaced3eef223f317fd9

    • SHA1

      0dda24c0bf494e685aebf130b0b13df1a5dca2e9

    • SHA256

      65e8c33ff2e84d9a5e1f6dd74d508cf109f921958bb24a2b766ae06dedc7cbc3

    • SHA512

      5dd330f0dad03daecdd6a30ff1aff7e3c9506c8b1c4c0fd670b4ec3ad692c0ff078222858b56715d7ab0694ecf36521c46811b932d01f586de4c37d9afa92aea

    • SSDEEP

      1536:lTEUWaufsPnsbHkpO8GrKvAM40xCj37SHb06v27pvhE4VG8zFLQYSvHceCKsR89o:ZEO5Eb3vJg06vcppRVfQYSvwR8Lx+yba

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/DarkMagicX86.dll

    • Size

      127KB

    • MD5

      7162f62910e6c2e0c964b5fb765170c4

    • SHA1

      e847401f6ff87e03b9b71166562c0beeb0850b72

    • SHA256

      d68d7e9d4e6ecaff194fb461098fb93ca142b81881400c3e7a05eb0ce10a3b3a

    • SHA512

      37e85e498f8f78079d61d0ed3efcabbf3007fabe3ce5b45451e246a305d86c3ca4bb71b4e20b430441a5cfc7505d53cb3ca33e53f70ee2e1abdb3f837e129664

    • SSDEEP

      3072:qQ/dazpCv9KUoQEt3gUYhvFPTBsZAC4TBZv7Sx7y2Ifak:qQlazpGoUohwhvZTq4TX7Sx7y7ik

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/Orbs/Windows 7.orb

    • Size

      295KB

    • MD5

      85328e698e8a74852b4061a683915dc8

    • SHA1

      b898267f8574a34e6d605e541e5234c27dd53f5d

    • SHA256

      e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

    • SHA512

      03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

    • SSDEEP

      3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/StartAllBackCfg.exe

    • Size

      3.3MB

    • MD5

      d029e1430bb91cf5506aa05e2e72ef26

    • SHA1

      47d374ad40833e7317c2729f500eaade45734b91

    • SHA256

      c7e9712749e51c5c9fa49ab6ebedca97543e5761051c72ca12dfe13fdcf43e07

    • SHA512

      1850fb38b216fde13aa6daf66cb6082c1d225fd445511d87108c911bdafc13b34b32c6800d30abdc08a0adee3f9ce7ff69e9c65600e369b61374202676a39079

    • SSDEEP

      24576:WdIOTn2jk2xye4khW0y1y4iW6SRX/SrPlPf6cI1N+Nm9p:W+OLQULkhVSRSt7UF

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/StartAllBackLoaderX64.dll

    • Size

      14KB

    • MD5

      07496bd0aa53a53fee717c35c3ec5284

    • SHA1

      bb281ab5eeb23f32290942e6c7308db389ce4415

    • SHA256

      0dcda75498e5a8754a9f23a941bb5e734d1488c489fac6b2e83d0f13c325584b

    • SHA512

      39a12a6670205cbe027d32e156b508ac335cc610aaf5ab1fcad1403863fc7e001c3bd1da9062c6e53481161d57734dd4673743168f7188db29a9125ece5a90d3

    • SSDEEP

      384:R2iaEmJJWuFRHvSkeMQCjdAA1m5wMzsPuExv:4ixmLTlMxCxf1mlzz8

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/StartAllBackX64.dll

    • Size

      864KB

    • MD5

      5481406b56b847931d6531a759036e8a

    • SHA1

      da4e7d7e4ccb59c774253f02c24d15104febcd61

    • SHA256

      94002f0c7786d6f22011f64ca65fb065af2ca52a1ff8576fc43269f4ae7a965b

    • SHA512

      81a7b980250a666ccde820df5f829df109298d22ee086d40681b3ba8bb871a0f11653ea2363f34ed206156ddb8d8c7ccf208d2ff2548c778ace83bb6715da39e

    • SSDEEP

      12288:UqM0OEfhGHuGDnTk84QZZUAzKiaKktaz7ZgGoRiV8VWYwF:iPEfhqLTJHZuiZc0aGoRiuZ

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/Styles/Plain8.msstyles

    • Size

      118KB

    • MD5

      509fd060516d1971da8d0c2173748358

    • SHA1

      67ccd63914312b1f491467bec42232916df109c7

    • SHA256

      43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442

    • SHA512

      de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6

    • SSDEEP

      1536:JrsDH9XYblumhuRSPvu8QhVPCQtGwMlw:JrkH9cumhuRSXIhVPCpwMlw

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/Styles/Windows 7.msstyles

    • Size

      377KB

    • MD5

      5bcd1f14702ed1c521a13cec168770c7

    • SHA1

      60d9b2740ae59e32cb843ae9171db90d24212884

    • SHA256

      5d7d0f58359bc0017da66b3b893515435add2908f3c10920e0cad2febd3e0e62

    • SHA512

      ccd3df8072768e42c607d372c35c5e484c51a3ed24545ae29cad8aab61a1cdd2e9c8c33dfed41406566b31ed775c0ffc56859f97d8dd2859f4899af1a670b752

    • SSDEEP

      6144:YL7hUvZn7daDTzgMigyWI12lnCtROpUHQYPxt:ohOZ7Qzg/RXthz

    Score
    1/10
    • Target

      $TEMP/STARTISBACK/UpdateCheck.exe

    • Size

      3KB

    • MD5

      f9756c261aa978c787302debff8f142a

    • SHA1

      81b5b130741d5df2feccd67bb6edb1a9d08d48aa

    • SHA256

      a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319

    • SHA512

      20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks