Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 06:07
Static task
static1
Behavioral task
behavioral1
Sample
59b45f17b13d799e6c4005d204fe8730N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
59b45f17b13d799e6c4005d204fe8730N.exe
Resource
win10v2004-20240709-en
General
-
Target
59b45f17b13d799e6c4005d204fe8730N.exe
-
Size
2.7MB
-
MD5
59b45f17b13d799e6c4005d204fe8730
-
SHA1
7bbd074484a03778f4c5a50f0e88ce5bf0e0c222
-
SHA256
4d1b6346c8bc068c413a20cd8e9f814eb9c0fd94f2526edb271bbbb166feb744
-
SHA512
88da31497b4f37aaee139168f8a077387057af5a6463f518b14bad9aa4112f24d0f22b221657132a91ed69961a54d4b554478b3d5791917eb74a6ed972d01e58
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4S+:+R0pI/IQlUoMPdmpSp54X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2128 devdobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPD\\devdobec.exe" 59b45f17b13d799e6c4005d204fe8730N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3X\\dobxloc.exe" 59b45f17b13d799e6c4005d204fe8730N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 2128 devdobec.exe 2128 devdobec.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe 828 59b45f17b13d799e6c4005d204fe8730N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 828 wrote to memory of 2128 828 59b45f17b13d799e6c4005d204fe8730N.exe 88 PID 828 wrote to memory of 2128 828 59b45f17b13d799e6c4005d204fe8730N.exe 88 PID 828 wrote to memory of 2128 828 59b45f17b13d799e6c4005d204fe8730N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe"C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828 -
C:\UserDotPD\devdobec.exeC:\UserDotPD\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD56f12b2da66490073bf6728ceed2294b0
SHA162ca8947738cc97fd55f8c4aeff523b5a19b28cf
SHA256b934016730729b3e49ebd43fa23ea7dcd7287d8287680ee830df53f329a93620
SHA5122e2bf347d523d20e70cd9c76c6ffaceab086640a570733d7010d83d07f31bdcbdc404003d0c482364388a27d39882b853d5911ebdf3ceefdff84fd7c109caa1d
-
Filesize
2.7MB
MD52b0ea5613e22ce7b992e585dba6a2259
SHA1af15a6aa982699c8a5138b8ff240efa3f0444e19
SHA2567f2c531d0bf658dd1965d49ca3b19c2d59f4b118143fa5eb22c5efd4d59573d3
SHA51209b3154080c0caa662b4df2c30d03fe212e07834eca87bb8d1b72225ccda08280b830e9ce0f29b7ad2165eed26b6b07c615d99a7a87d98c186140b81299763ff
-
Filesize
204B
MD520a40f225c908c80a6a4281586315399
SHA145af43d8b9639ecaaedf8d1339530f7e682dc477
SHA256ba2e365ecbb29cef7bc57dfc2b94ec4609eb58d5914a200767a061884de273c2
SHA5129a0c053c1507672e74d045285123173fc96aa6b2ef8e3b2f073a4c2095c0bccc3938652149f81589cd76b12583dba3a9179d2d5a815c97f83eb146c36a77453c