Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Resource
win10v2004-20240709-en
General
-
Target
6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
-
Size
2.7MB
-
MD5
6bcaa1f9fe8643b0285fbfa0edbc7470
-
SHA1
e62cca5f1d23823979dfa540ecbc2f6c77f5db3c
-
SHA256
5aec07f48d974d389d709d3c89966c1cb9031bc7db0e2525125598120f2133b9
-
SHA512
59ac3c9f40edc0b176c8589d88772babf622b0a462ece7372d90d5f25a6f65ec39d8952be0ac8984c6d3fe83b7aea541b055d3375dbb4234555e2969f54aac1e
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSp84
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2380 xbodec.exe -
Loads dropped DLL 1 IoCs
pid Process 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPR\\xbodec.exe" 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNH\\dobaloc.exe" 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 2380 xbodec.exe 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2380 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 30 PID 2396 wrote to memory of 2380 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 30 PID 2396 wrote to memory of 2380 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 30 PID 2396 wrote to memory of 2380 2396 6bcaa1f9fe8643b0285fbfa0edbc7470N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe"C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\UserDotPR\xbodec.exeC:\UserDotPR\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD593c30f0b85b9f911960e72c8490a2ba6
SHA1e04c5d02a1ecdd9bb330910c91b63fb57d51f12e
SHA25680b1cd43502753f2312a0c3691a297ec8a1979c170b8019e17ed629b022b092f
SHA5129a6591608f1512c6fbcf7c94d6bdf381b9700e0ce89c591140315e5964bed346190598cd064f32b579140c16495f0dbd754dd351ca42955343e3f43d409f78cd
-
Filesize
203B
MD53c89958e7d4e8337d069cd713b7c3da2
SHA1980c85a9b68ba19ec1807d9dfa3007f1a078e968
SHA256d6d3be251d5bccae9028941c7cfa6ab39e31946d7bb24122da58c6d38714e6e5
SHA5121631ccd7d73f081e0985f0907efb5a8b6884ee1efe9c101f6a05b6a1b0e21da5fc87b624a5d015e9500cdc3c583ee763210a8938927c2a8dd44f1e8d4707374d
-
Filesize
2.7MB
MD5b447e80f15641e7f8efe1a3909234d28
SHA16ee32fbd298ebb009a11030870689b14d50f09b9
SHA256a8c516efeaa8a5b21c51320c0d10d2f658b77ad99d29024b6d8a915228cb7657
SHA512f785c6da81f9ae34b23e367ece40d88ace469ab2c44252544e2be44000ddb7b303e907a210930c70195a0273622b824c6f7f81986283bde5f9579de822923776