Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe
Resource
win10v2004-20240426-en
General
-
Target
670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe
-
Size
2.7MB
-
MD5
72a9e7cd60b9a950d6d09836b9181063
-
SHA1
e87eaebe994f31a396d5a24632a2f7ffc6a1be9c
-
SHA256
670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b
-
SHA512
8f8a0adc94dcacade4fdb0b345eb1a490974c1fdcd359a0ee88c2e888d1cc177a179b3347174c9e878eac9ac72b8cea4aed8596b56d0da11cdb7ef4486d44a20
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Sx:+R0pI/IQlUoMPdmpSpj4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2392 devdobloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2Z\\devdobloc.exe" 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCY\\optidevec.exe" 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 2392 devdobloc.exe 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2392 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 30 PID 2336 wrote to memory of 2392 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 30 PID 2336 wrote to memory of 2392 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 30 PID 2336 wrote to memory of 2392 2336 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Files2Z\devdobloc.exeC:\Files2Z\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f049f316d1dcca60f5682a3c1fad11ad
SHA12cc5209b28e53e0d97c2aa2540904a5db8d9a772
SHA25629d9202c78612e74cb2b5016b22ff110d526a03ac7a3aca362e1fbc52bbf30e8
SHA512333d8c63373946edfc76e8f9f4d1afcc993a45431e287816a4f1a0aa03880ace89972633c8d8665ab55880714064d30cc574d4c300369096dfbf74f671bc68f0
-
Filesize
205B
MD5384b1ea5852efea73c6cfac4f27aee40
SHA12227b5efb838fb563a8d3a6d1fe146e3b637a94d
SHA256b71de1189c4897af7bd2f4f3bb32ce3fad005333b43875560722fd141e2e02b3
SHA512dc24d5f81c0e8f5530ac80bb83f2143a7113bed9b78f3ada0f7e810e44ef9fc621415da656846f655aeb71dcf439f7c6e98833853c266d720b459fc98af33775
-
Filesize
2.7MB
MD5d882df19ee641e018ef14140f76b4b8c
SHA126605a05f72c5eb2fe6c4ea17f38a79ddcc5c977
SHA2562fdf388b0416b6e5c27560d4f75934991794c0a5e3931d906b5535d8ed5cc429
SHA512addad9a18ebba0a618c3a4883d6ac0083622c6879e7dd42198c9e0687d7b622be2b3c28c68f74808f893ffd6e2b569e0db1e5effbd68bdc582c0d705bb1a65de