Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
8f17bd7b2520c597a322478e44bb55b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8f17bd7b2520c597a322478e44bb55b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
8f17bd7b2520c597a322478e44bb55b0N.exe
-
Size
2.7MB
-
MD5
8f17bd7b2520c597a322478e44bb55b0
-
SHA1
7ed056d5b0e40284a303363080ab2d6a4265205f
-
SHA256
f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929
-
SHA512
1dc5e22bea5de35ac936fe5c9566500af9def6399faced2d7517b997bbbaa81f6baf31d3455d7bea28f1815498eae05608702bb0b53b28214cc5e33705a6243a
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 devbodloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2388 8f17bd7b2520c597a322478e44bb55b0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe75\\devbodloc.exe" 8f17bd7b2520c597a322478e44bb55b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHT\\optixloc.exe" 8f17bd7b2520c597a322478e44bb55b0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 2728 devbodloc.exe 2388 8f17bd7b2520c597a322478e44bb55b0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2728 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 29 PID 2388 wrote to memory of 2728 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 29 PID 2388 wrote to memory of 2728 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 29 PID 2388 wrote to memory of 2728 2388 8f17bd7b2520c597a322478e44bb55b0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Adobe75\devbodloc.exeC:\Adobe75\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD55ea6d399f401cf5d127598096a964837
SHA1619502a22c41f8d4e6e58449f9e5296b81fdcf40
SHA256e9240167b85489f88e0286938b3cfacb3a7fd97a3bce63987c732ad7735fbbf8
SHA5125508824a80b9726e214d2bd66a6f7048ac4fb8c08680c4b6f598b87e28ee2902b695fd1a525eb59e4e00c7ad7c6977b7d60165ae667980fed5ef1c5f90627d64
-
Filesize
205B
MD5b38ae8111a3e33d75f518bc366e90213
SHA1285deadb8ff09a9180857fbc83a8af6609524508
SHA256543b4d1861e35a48292ea30487c0f5aed7d84ff7a315f0efb032936015c7f2e0
SHA512ebba2df53c9c6bc9562ec3a6b92252ed57b3c0ca4c59e98ee5d65bb64ca26e91ba877c1c3b69f0d2e2daf629461f4a1c7c3c3923abefc26de7b1e8082c5faee1
-
Filesize
2.7MB
MD5fcd8ffeac170b3c2e4bac4d81c39afa5
SHA12ae1e5671d04f87e333dd071216682b8e536a8cc
SHA256dddad6bcb12a19f23a2dc2d5c03a2bbba5f8e56521d35ea32245a682e853c3b4
SHA5127a2e7fe343064b4b2b2c25ea3a209e347653865c90d5d58f56f0fc3c6e416992ad428a42982e6102a3310f0f3c715cc484807d2c0993bc55e160ff24c3bf436f