Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Resource
win10v2004-20240709-en
General
-
Target
18d0a100a87a3f16fa9b4f08a2d2a010N.exe
-
Size
2.7MB
-
MD5
18d0a100a87a3f16fa9b4f08a2d2a010
-
SHA1
e1c367595f444375d9b5b2730959209f5fd5081f
-
SHA256
ecefdeca3f0936086119593c098b8b14b9431ae698f2861dba7a408f5f4fbe8b
-
SHA512
6fed51c840b7e0ea1f28df7c37e71d1245f0357afb9acd2f9416ded3a6725b9388853a2a266a8bf6e8aa68208f7f5e8e0175a2dd8dc2a7557c106985def5e566
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpH4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1072 adobloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMA\\adobloc.exe" 18d0a100a87a3f16fa9b4f08a2d2a010N.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD4\\bodxsys.exe" 18d0a100a87a3f16fa9b4f08a2d2a010N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 1072 adobloc.exe 1072 adobloc.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1072 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 87 PID 2820 wrote to memory of 1072 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 87 PID 2820 wrote to memory of 1072 2820 18d0a100a87a3f16fa9b4f08a2d2a010N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe"C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\AdobeMA\adobloc.exeC:\AdobeMA\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ff8d67282200ea3cfd76d9ee23548cf6
SHA1bf8a9111c62d24e8a8bdc5feedb40396e628ff1e
SHA2561278af95074ff3cb57d1a2d6631b767e6b7cc76c38fee752751cc5e9955f588e
SHA512f5a35673c992aca91bb6fe5571f2d1a32d743558b5269f2707ab3f14e4c2aa927c908dd3434429898bed673aff57cee6058a3e80e8777d8d06d932688ee558ea
-
Filesize
2.7MB
MD5805086cf29c84bf281fa62e269c91351
SHA1f49298b8ca1006e314fd8cdbd0a591e70f923833
SHA256c9d5a2e1ba939432816cf9e510c9901134b573426626a6299bbf2da39cb78437
SHA512553c0edd3e43f6db9befaf05943f63b4f573829c7e294d7d8c716abb18af8a2f184e7bb939007b8296f263fb9dd6e106b776288138bc17108f341aa8eb5e63a0
-
Filesize
200B
MD5d97b0b3b29d4fb30a21121fda50bc315
SHA132acc1891f260167bc5f8eabb945389d4b6cb693
SHA25632d61a34c776b664c36e9c84478bcfec51bff4858912ef485ccd93c049b53a3d
SHA5125bb2e2992fe347e8790373d5e93ef040507502a815afd13c12fb84e15151a573709f5c06c2f181b7c6e4e784e3d94512a9906571cc9895ec030864150f4edf95