Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe
Resource
win10v2004-20240508-en
General
-
Target
ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe
-
Size
2.7MB
-
MD5
7b8c8a7f8972241cff615761c9d9400f
-
SHA1
995057155666f49ce18e6bcb8ad75515b1d8835f
-
SHA256
ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b
-
SHA512
198cf1d1f92cb7addfdd7f2c17a37a0c2974e370f6a1bc95df8d11256cbb3d75e19b68b65116e2261a17e5e1014d616078bb3a0172955fb19453764e9df516b4
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB39w4Sx:+R0pI/IQlUoMPdmpSpz4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4396 devdobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGZ\\dobdevec.exe" ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHS\\devdobec.exe" ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 4396 devdobec.exe 4396 devdobec.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1968 wrote to memory of 4396 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 90 PID 1968 wrote to memory of 4396 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 90 PID 1968 wrote to memory of 4396 1968 ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe"C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\SysDrvHS\devdobec.exeC:\SysDrvHS\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f74389575c4eed1c471a17841b51ad31
SHA1ee467886bfa460514ceaadd33e72051b1058e5a0
SHA256dba1437593c1fd22de36778d883a737b2e84a9951f04589feaaf229ef401dd19
SHA51253d7f9b05188afbc3c82f2e4b339dcf60b39dda9bfa85cb30e52e7aa8df6649fca5e9b8cf8bad0821075e95aa6b024c8698df0272b4eaaba72bb7da91544038b
-
Filesize
202B
MD5b21e278ea1ba78aea980ffac5f8ffa9e
SHA1299369214c54889198ccf4a6a5c72b4f1811013f
SHA2566c733dbafb0d5be7ef30bcce726fe85250607793e9af5bbc6ba4a3ec74e1a4ba
SHA51294117ae44b15f4dc1d04fe43fa065eb2ee452f69d05190be83ba208f460560a2e6c3328469eb22faa55c2a9d335934e638d256abc2e96be03b10b566da3f36ed
-
Filesize
2.7MB
MD59f61b04e3af530bf9f20f0e915752159
SHA1f64fdcb33ca322cea86607e49a769122e9c984a7
SHA256e1020fd9c8cd38e2548141fd3131bc58c5332d84cd6bdb0aeeb814a382581c4b
SHA5124a01b24e965bd70c101ac9780aa82cb91cd31daef98cfd498a65373a6da3324ff6fcf539d57777528e291781cd83c7bd8e9704ff6c5c567c5e390285c5103e7c