Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
4179f6ff845787c1d207b6a6f6302540N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4179f6ff845787c1d207b6a6f6302540N.exe
Resource
win10v2004-20240709-en
General
-
Target
4179f6ff845787c1d207b6a6f6302540N.exe
-
Size
3.1MB
-
MD5
4179f6ff845787c1d207b6a6f6302540
-
SHA1
28e6f2db566261cb232f917d6f3124b5a4d3641f
-
SHA256
f3004e7d9434d1236876f916dc8c1284bd9a79d75509328c57879f4199db6ee7
-
SHA512
138859299ffdaedcd95a72bffad828bb1671f81b833e554c93d1911def86859528efdd2099f22a5817f6c6a8cf3bba333add7f925cafb14c91d5a85254883df8
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Su+LNfej:+R0pI/IQlUoMPdmpSpS4JkNfej
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1648 abodloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC2\\bodasys.exe" 4179f6ff845787c1d207b6a6f6302540N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUN\\abodloc.exe" 4179f6ff845787c1d207b6a6f6302540N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 1648 abodloc.exe 1648 abodloc.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe 4256 4179f6ff845787c1d207b6a6f6302540N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4256 wrote to memory of 1648 4256 4179f6ff845787c1d207b6a6f6302540N.exe 89 PID 4256 wrote to memory of 1648 4256 4179f6ff845787c1d207b6a6f6302540N.exe 89 PID 4256 wrote to memory of 1648 4256 4179f6ff845787c1d207b6a6f6302540N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe"C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\UserDotUN\abodloc.exeC:\UserDotUN\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5543b580014decab172de23e7ad6bd828
SHA11ab580d1a283aaa4e1eafa903e1b09d807b9779a
SHA256be042705b4c36f68fa3e7ca78a833f0e013cc2f3e93ec00a92d32c41d19ff2d6
SHA512ce0bd033d47c0eb8cf28c4a3a6c07c58d0f911da83d3413a08ba9d7f78562620643124540408cd3c7bd6fcf8be4e07dff3e5dd2f452062ec19883dd07ed17908
-
Filesize
3.1MB
MD55f6c2312d4de1de9a80615903cef9d7a
SHA1e48a14ef04506e9bfaafc57d87c3c7a9f1193a43
SHA2566ba74ac3070c159b3f516b3bb34d302a3b32b9829893b454d1ebcec7e502501e
SHA5121be504d842136fa03646999137bdad4e0231c5fb1f695e012e6bb66b8fe67fae29f676989a7067299b4063f7b589772bdccd3ca692bb0cacadce3defbc3f8a1c
-
Filesize
199B
MD57edf2ba50f9206b45d80226cb3f52cf8
SHA1e86e65171db09da2ede324cd08493035b1328232
SHA256e7353ba1aa66e826bc2ea2b68f25f7d677a06a7f9ab62e3d3d917a5ce5a7f653
SHA512108dea09621113867e94bb127005d4a3b04e561068a7a9b71c1ae674c1673c531190c07387e28176375bd4eb773d7378aaceaed3060375ff9f4889b93bd2230e