Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
Resource
win10v2004-20240508-en
General
-
Target
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
-
Size
2.7MB
-
MD5
7db07e8c99f3838ad96f8ab1758c60f6
-
SHA1
a2fea07e6a736e34054570fba9b9e9a6b13ec1d8
-
SHA256
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a
-
SHA512
85ec3b8bab2de91089412bc9c3617661d97426a3ea3148e761e95ec8249c8dfba15a229625e8b49847c95dd1a0da273c681b3e6e9d35084e75c8b0cfac6a970e
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpE4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 devdobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ0\\devdobsys.exe" eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid95\\optidevsys.exe" eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 2728 devdobsys.exe 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2728 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 28 PID 2012 wrote to memory of 2728 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 28 PID 2012 wrote to memory of 2728 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 28 PID 2012 wrote to memory of 2728 2012 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\IntelprocQ0\devdobsys.exeC:\IntelprocQ0\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD53d1d138549cc791d8a15838f84a6fa2f
SHA174d3c6f2922bc3f5c58649dca49a9ac47acdfb6c
SHA256d4a40bdd4250da258b6ef67a878e13c6b57f9937a8791a424a5f8ebd6527f18b
SHA5122eb8cfc02b712906ec201564af414364d4aaff27ee541ab5d68d19e5e34aadc02014baa25fde138e8080ce769a83bcdc0fdd80a66011887c5050fdda2b54bf06
-
Filesize
2.7MB
MD5164352f25bb3b0a5e1414a2d9cc149af
SHA1400ef4f27b881e103586268c307e0f0289c12c19
SHA2560879b8e8f7b43a447308daba5f90b0fae4747068fbce9992910cdb7722400fac
SHA512015dd2d90e23ca4f80cfa1a212b141d2d26c1efbafc4497028773a6c70ecf2332b82338254215e8f4f2e833bfb57cbb1bf6bbbe08de284eee48ba7e08fa72cad
-
Filesize
2.7MB
MD57cb40eed07816cc207b0bd2d0e97c7ea
SHA1559263b680b8a05b22e49fb3ed9c5fa07606353d
SHA25642dc458cb9161a414ef321654e70a1579f48de058c70d493930b693179a9443b
SHA5120a3bf5bf56818d1e1f594351c3e01747ed10ca93ec3b3eccf9b7b01134dffa3213aad3b3264a4fcf780476305d1b5d13eeb595d21787c1ae1308adba5b3b8e10