Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 05:24
Static task
static1
Behavioral task
behavioral1
Sample
f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Resource
win10v2004-20240508-en
General
-
Target
f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
-
Size
3.1MB
-
MD5
3e4e96e2d5e0f1544b85afe1a138ad74
-
SHA1
4710270e170afbfe822aa635aa62f8a75abab153
-
SHA256
f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6
-
SHA512
2d186cace7ab782e850a4247c283f2877850992cf34fe380c445733e394ec0e02a309e481d8cd274130844fb87062dad18369ffb22431d778b88a9c07fb2711c
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Su+LNfej:+R0pI/IQlUoMPdmpSpc4JkNfej
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3056 devdobloc.exe -
Loads dropped DLL 1 IoCs
pid Process 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotI5\\devdobloc.exe" f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWW\\dobxsys.exe" f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 3056 devdobloc.exe 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3056 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 28 PID 1620 wrote to memory of 3056 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 28 PID 1620 wrote to memory of 3056 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 28 PID 1620 wrote to memory of 3056 1620 f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe"C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\UserDotI5\devdobloc.exeC:\UserDotI5\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD51c333c493a2d4f4ccfa5a2662022afd9
SHA194592e4e0be73b7df820225e2f26064696d194a8
SHA256b96981d3f03026950daf2966a9aa1336c2d16f5242a5985d422b22329aa5bdac
SHA5128023f84360348ad3ba8e3b29c1ff1494b874b5fef9329cf9b13148baec813b6aee1e0da6bbf1ec0fc12f303ff6e9a4b97c01aff5735d52f3de451f5e59c29758
-
Filesize
207B
MD53f633aa2355ea26a6f80d46de7722d08
SHA190c0520a3b1073e1f9500f9e274e46de3bd094c1
SHA25683ee46a662cee86e1bb3dab39917bc467e5fc88acc109ddeef78bd8bdfa9ce62
SHA5126bc5dc0fa6e19a6c3f3a492a51ae5d07b85fb0ea42961c47ae99e031de04e27f0d53eea8001236299e4e45619d1a205179bfcde553a5affc0f6cf2335d546b62
-
Filesize
3.1MB
MD5f7b2fcdd9d85f8c2c7389802a77576e6
SHA1cc5ceafd545ef48c7df2d4cc7ac7ec1af57d3c14
SHA25694725c52aef4457780fa794ad1d4dba577b42007f59b6742c594d43f9f18ae02
SHA512f795a157fc43aa5841f68f712669567a0cb08bfac2b45cd6232d9a81258329f48199639d75d859012cf58a28d02734440aa3a2ad4436cff853e246767eba9443