Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
59b63d0e3702529c84a23e34a93776d0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
59b63d0e3702529c84a23e34a93776d0N.exe
Resource
win10v2004-20240709-en
General
-
Target
59b63d0e3702529c84a23e34a93776d0N.exe
-
Size
2.7MB
-
MD5
59b63d0e3702529c84a23e34a93776d0
-
SHA1
c89a2401c7737766b0ddd131906d7dbf1c533e3d
-
SHA256
678b5eaaad793b7036cbff3572a38ee4153e4a7e0fca757ad2ac35bcc193589f
-
SHA512
0ac55eafa0f57617f29099c6b96bdbbc496a4ef423980289ea0af4a5d3097abffa2244613452728a0c106f49e761387bc263560a819da65394c9fce78667c5d1
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpc4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1220 abodloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDS\\abodloc.exe" 59b63d0e3702529c84a23e34a93776d0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6W\\optiaec.exe" 59b63d0e3702529c84a23e34a93776d0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1220 abodloc.exe 1220 abodloc.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe 1512 59b63d0e3702529c84a23e34a93776d0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1220 1512 59b63d0e3702529c84a23e34a93776d0N.exe 86 PID 1512 wrote to memory of 1220 1512 59b63d0e3702529c84a23e34a93776d0N.exe 86 PID 1512 wrote to memory of 1220 1512 59b63d0e3702529c84a23e34a93776d0N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\59b63d0e3702529c84a23e34a93776d0N.exe"C:\Users\Admin\AppData\Local\Temp\59b63d0e3702529c84a23e34a93776d0N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\SysDrvDS\abodloc.exeC:\SysDrvDS\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5e3b6eff8a9af5b4923666a508b586004
SHA10a0ec7f6ea8d32ec6971f4bbad0a93a7a9f5ad3a
SHA2567a827530add561c5954b1583908f81533bef59bd63f63aa00f174dfb62c0d431
SHA5123bbaa6441838cae91d5954058f085dfc9428b60a4a72ebf531f0d45466b1fc1a7a51229bc2d83d92feaaf3d64eec6bf895dd930dace2b4764ff39971f3c258ec
-
Filesize
200B
MD5a4b9992f5987281e81b813c177cc3b5e
SHA1918995d8009b2441bf3005b3abd85c11ae7da4f0
SHA25693d0e9808dbb46cb3a60cb8ce12ea1b4c063a53fe7d745822d5771d796837786
SHA512e07b30f764d31918607e90e4d6c2bb7913921b3d677427b1e9a1cb7f6b26a67c06217ec82279baf2a0686a9311cdce244a3f58d12a159f0d0fb4c2017cf47dbf
-
Filesize
155KB
MD517edfd426b7bff7fc7f5128dcd52f07a
SHA15a6c64d2ef8dd5365882c91fa59f74e00f7093de
SHA2562c7fc5469e8fd79b18772bf6f048c2a1238987b0708eac55c9e854c1f4e21969
SHA5126c3f46a9295192cc053637c04e2613b4ada2cb7c31fec0620795a4a8903b4956a1abfbd23cc347c760f6b99c45a35b636ecd0e244fa638a4bad90a913f91ba85
-
Filesize
2.7MB
MD54c3dfa6da0270f91fc2e8a1df5654ce5
SHA16e00619a810324a2396ad459b677e6279c766462
SHA256e7d8ad6716a8f7efa2f17ea4f88bf7979b61745f17df0c672095c9d2198d9618
SHA512e7e340e29e03227cf74e5367e7f0ba2ad2cd6ed78471af0cf5da4f77f2fbbc9d34f1fd9b864e6cda9efbb37fa12114ae13df7b76bf23088abb9f67e6a6b30222