Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2023, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
f8fb3b40ac2505c27ceec7864cbe562b_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f8fb3b40ac2505c27ceec7864cbe562b_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
f8fb3b40ac2505c27ceec7864cbe562b_JC.exe
-
Size
4.1MB
-
MD5
f8fb3b40ac2505c27ceec7864cbe562b
-
SHA1
d59584e4879d876537885a297d32e41de944e066
-
SHA256
eb5f6fe993832be79cd0275534819701642a02d3be300cc2adc2f90c9cfb4f60
-
SHA512
44f989175a5e76183451acf3bcd9531cf125013362ae514dda8b671b4975a6a05a034f123b2ddb50a07cf8e2891bff95db4a9fd8bfef8ee909a049b7d1389741
-
SSDEEP
98304:+R0pI/IQlUoMPdmpSpj4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdms5n9klRKN41v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2428 xdobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFB\\xdobsys.exe" f8fb3b40ac2505c27ceec7864cbe562b_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAQ\\dobdevloc.exe" f8fb3b40ac2505c27ceec7864cbe562b_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 2428 xdobsys.exe 2428 xdobsys.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3300 wrote to memory of 2428 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 87 PID 3300 wrote to memory of 2428 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 87 PID 3300 wrote to memory of 2428 3300 f8fb3b40ac2505c27ceec7864cbe562b_JC.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8fb3b40ac2505c27ceec7864cbe562b_JC.exe"C:\Users\Admin\AppData\Local\Temp\f8fb3b40ac2505c27ceec7864cbe562b_JC.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\IntelprocFB\xdobsys.exeC:\IntelprocFB\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5cfed6d0e9f7c8dfcb3c203f42c83edfe
SHA1349628807ce7ea0d7aedc304d4cc5aa4c56136cd
SHA2568b3db0ca22116c10d423ac65f66e1ab20e167dfccea6f79f91dff501147b5834
SHA51269d9aab54e10cee7aa0175689d275c0690b816180ed4245e340e76df66addde4f84b20b1cdb84d747718ab4bf66b91c1e0f488dd5f000aa5da604e47b9b70d38
-
Filesize
4.1MB
MD5cfed6d0e9f7c8dfcb3c203f42c83edfe
SHA1349628807ce7ea0d7aedc304d4cc5aa4c56136cd
SHA2568b3db0ca22116c10d423ac65f66e1ab20e167dfccea6f79f91dff501147b5834
SHA51269d9aab54e10cee7aa0175689d275c0690b816180ed4245e340e76df66addde4f84b20b1cdb84d747718ab4bf66b91c1e0f488dd5f000aa5da604e47b9b70d38
-
Filesize
206B
MD530aa0fb6dc72ec9d2c9cbef64f0baf47
SHA1bd07c593f094b14f4aeeb6a2da67d93b8533778d
SHA256cc4e68b2ac52bd6af25ad5476ce3819583e37c0bdfbcec273046547650b73048
SHA512970b540245f3995611338914df87f97fe7ad9b93921728586af6e174978f2a61291ef13268a53298f4a676f712b84f81b9a8e5a52f4623e8d39836d7a4979a9b
-
Filesize
4.1MB
MD50e2295822da494682ef876c798ccb1ad
SHA15e6e2305358685b1a6ef2e8e5d3c0b613330cf9c
SHA256e7d4aa16c1fb90716d7805a0651919260095df6b9d1bcb97142e938e9290620b
SHA512882475d049696f5ac69620a3d07c78d76bcbaa862962e8eb1ce17c5649871d44e2c71b2c68160edbd0e66cdffba38a4718189b5c2fc366ab6d040a37d7934da0