Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
Resource
win10v2004-20240508-en
General
-
Target
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
-
Size
2.7MB
-
MD5
7db07e8c99f3838ad96f8ab1758c60f6
-
SHA1
a2fea07e6a736e34054570fba9b9e9a6b13ec1d8
-
SHA256
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a
-
SHA512
85ec3b8bab2de91089412bc9c3617661d97426a3ea3148e761e95ec8249c8dfba15a229625e8b49847c95dd1a0da273c681b3e6e9d35084e75c8b0cfac6a970e
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpE4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 732 devoptiloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGT\\devoptiloc.exe" eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\dobaec.exe" eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 732 devoptiloc.exe 732 devoptiloc.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4804 wrote to memory of 732 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 88 PID 4804 wrote to memory of 732 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 88 PID 4804 wrote to memory of 732 4804 eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\AdobeGT\devoptiloc.exeC:\AdobeGT\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD559eb3fed271fbd0eb25fdf1362e4fbb5
SHA12b2a66a0f396d2a546793491078dfb6383fab068
SHA256e6cb333b020c0873557167ed6dcef3d89d7b375eb5bcbd0747070e1778b558b0
SHA5122c6ca7dfde9b86b86ba5942fbdf30bc3c12c3b4eabdf684e89bf1c1189f65427d308090772e9b022fcab0b7b5278213b7edad1519bf2da23f57da310d8f062c2
-
Filesize
2.7MB
MD5a44b83b2c2beec977db594f72adea086
SHA1370b1f5317492d9c9f2762100ceb864f079fac39
SHA256159cd213b88501eed92831221870240b7401eb45e805d25bb736d1c71559155d
SHA512edcb01a43cb38e9cd6d71503718d95f028db3e2bb545df3a5113e508270e9674f6f909a2380b022ea67ef5dd7c01d1a989a953f1fc284d7f5943c160f1da0c3e
-
Filesize
203B
MD5792b4846925291527a24399da0972b1c
SHA10a0342b83caafd14f1208e7b101a6d109ac050ca
SHA256ca4046b6fb9f80ffbc2d7386c382f0cd437159e0a398f0ea0bd14af21f878aec
SHA51296896b97baf99655174cacad9137e0310ec5b8fdec9b991c02c9eac23bb85a4960e2c7cadde5b5f5ef36d54e1d7e109ae805bd9250beed8787875010dff09d10