Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
8f17bd7b2520c597a322478e44bb55b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8f17bd7b2520c597a322478e44bb55b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
8f17bd7b2520c597a322478e44bb55b0N.exe
-
Size
2.7MB
-
MD5
8f17bd7b2520c597a322478e44bb55b0
-
SHA1
7ed056d5b0e40284a303363080ab2d6a4265205f
-
SHA256
f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929
-
SHA512
1dc5e22bea5de35ac936fe5c9566500af9def6399faced2d7517b997bbbaa81f6baf31d3455d7bea28f1815498eae05608702bb0b53b28214cc5e33705a6243a
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2912 adobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGE\\optialoc.exe" 8f17bd7b2520c597a322478e44bb55b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNT\\adobec.exe" 8f17bd7b2520c597a322478e44bb55b0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 2912 adobec.exe 2912 adobec.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 5080 8f17bd7b2520c597a322478e44bb55b0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5080 wrote to memory of 2912 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 87 PID 5080 wrote to memory of 2912 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 87 PID 5080 wrote to memory of 2912 5080 8f17bd7b2520c597a322478e44bb55b0N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\AdobeNT\adobec.exeC:\AdobeNT\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c71271c2c12273640cac3d2dd56376f6
SHA10c45274ba188a2a94890f801d211f07ae9b8e408
SHA256ffcb418aaa30aefd1f587654006c9c93f74fe451cf91fac11d5a9368412e5875
SHA51247acb957317d88042abcfec6e5f6dd05ee697ecc9d1545bfa4d94d11fc1567420810102aa095de9413e6df8468c79b44c8a1abc143f10b71fe1a5c3c37cb49e7
-
Filesize
2.7MB
MD5539e1e3a579a9fad0998985d04d77e38
SHA14cdb99bfb31b9d509722c7aa9ad78e210e8ab6a7
SHA256cb3f0b8a569558292d81ab48808a8225c8701bf54f0e26870fc1c492583d4d74
SHA5122042221de486a1809e87e6903341b2ce9a781d7578f30c028bdfdd6f7846d9f327ed978dbd9b251758648849ad31cb86a8d1cfc5dcac5d11db2ca27ab4bab020
-
Filesize
201B
MD561b19caa0d30e42a1b8f22b104f6a1ab
SHA1cb12d28bd268ccc3798f021cd44706447a494828
SHA256ac1e4f810f7cce3b0595ab258b517c7c67ee12262f781fb49b9ac63cbb4b3671
SHA51223f4a0c1b46cd775c3e0cc46e6bfbee1b2fe7e31d784e30a1a1ac451c80d4394e7c849943c10f29fe374f3fa9b675db6a76dc19f65423176666ef0b9364ac58b