Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
45cf9b38c2abb92e59fb4a2995a91d20N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
45cf9b38c2abb92e59fb4a2995a91d20N.exe
Resource
win10v2004-20240709-en
General
-
Target
45cf9b38c2abb92e59fb4a2995a91d20N.exe
-
Size
2.7MB
-
MD5
45cf9b38c2abb92e59fb4a2995a91d20
-
SHA1
80ded2ec4435d3a1c6554be6a22ab0b56fc14bbf
-
SHA256
18fab9097be31427c55fc1661ebf7635caa0e65a17965b01228b8505049a3ce7
-
SHA512
0a6ec45908e9a9f21fb271e47813e23cfe4f0c3a3fbef1abdc477f8691b2a4cbc7d423e958d6206584808d7c0030218cb56cbeb6e32895cc51bd006781988b0b
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpM4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2876 adobloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeX0\\adobloc.exe" 45cf9b38c2abb92e59fb4a2995a91d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid16\\dobdevsys.exe" 45cf9b38c2abb92e59fb4a2995a91d20N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 2876 adobloc.exe 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2876 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 30 PID 2632 wrote to memory of 2876 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 30 PID 2632 wrote to memory of 2876 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 30 PID 2632 wrote to memory of 2876 2632 45cf9b38c2abb92e59fb4a2995a91d20N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\45cf9b38c2abb92e59fb4a2995a91d20N.exe"C:\Users\Admin\AppData\Local\Temp\45cf9b38c2abb92e59fb4a2995a91d20N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\AdobeX0\adobloc.exeC:\AdobeX0\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD533014e67da85ad38ca51c0b293f57894
SHA194b00bb07a21a5cfd9811b9a6227994ac06c25dd
SHA256f97d4636a9ed24f1a0e96267df23f3ec6da10a8492dfbfcf6de2f53541611ee1
SHA512aa3491cad9665f4b90839243fbcd48e8e67cd75d5a9ac7c9b1f4d3d1ffb1354bfa4203cf0903de8f158e8354e46f943c09c1a6087c36f58807f97d1f204f3b2b
-
Filesize
38KB
MD5a99ab379011cfafd66417cf00ac2d7d7
SHA1ce3f51514c4d93324d766c3f1dc1c0eb0e38e97b
SHA2565f17056a78ca3b5ee410b9daacb589608c92827bc3eb7bb318773182bc5a246b
SHA51293ea54b6f7ea2a2f2100629baafdc7051d5bc8838b0f2e4e945575227cc1771ea7f7357bff9e12b262b7a9e3d5ebda2344d9b1224ad9d3fc3f90802e02d6569a
-
Filesize
2.7MB
MD55c0783498d6b4be72db52943d5a8f975
SHA1ee1769ba13b70295b07075170989242b9e4a14f3
SHA256413ed67a370c23f25aec49603045d582389a4a7941c70d6af270c4aba2a110fb
SHA5120135e3b2801f09120a981050cd33eee2dd373960b507f2d07bf8c8ef4d806c92ed35393587f94d704eede038def686469cda7fb45c2df56d8e329ed3047ef4f8
-
Filesize
2.7MB
MD56f9c952168c927581dfe5e11be100241
SHA11f18caa147a3b88d017756756d2965de414eba95
SHA2563022b59f605b46ac0ce2a0fb8f23258b9cfa5165416ce28c0b50d1604075ba36
SHA51284a2538bc0a5e8d4c4e687a84ada9e80998386c01a3165649c33e915d091e5f861207c21e240f51c679221d5ad4d11c3aae66e9156faf7b8b7741726da78c9d9