Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 21:16
Static task
static1
Behavioral task
behavioral1
Sample
0ac20821e984c36079a3b59799e14f40N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0ac20821e984c36079a3b59799e14f40N.exe
Resource
win10v2004-20240709-en
General
-
Target
0ac20821e984c36079a3b59799e14f40N.exe
-
Size
2.7MB
-
MD5
0ac20821e984c36079a3b59799e14f40
-
SHA1
26bff7b911da4ab212d87c2ea0e3c9275d4d624a
-
SHA256
4663d4eac037aacc78bf47a5aca7ef3eea303f1c9ed08c77f36ed4b1d6867a61
-
SHA512
45229bfac56a99ea5bfa4b63f6f817fe236da1113e833a28eb631652ac90589921773e83c70d8ffd2cb64eb860a98f3eaae859eda97e84382ba2c71d4c4d87fb
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpO4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 868 adobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesED\\adobsys.exe" 0ac20821e984c36079a3b59799e14f40N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTQ\\bodasys.exe" 0ac20821e984c36079a3b59799e14f40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ac20821e984c36079a3b59799e14f40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 868 adobsys.exe 868 adobsys.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe 1236 0ac20821e984c36079a3b59799e14f40N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1236 wrote to memory of 868 1236 0ac20821e984c36079a3b59799e14f40N.exe 87 PID 1236 wrote to memory of 868 1236 0ac20821e984c36079a3b59799e14f40N.exe 87 PID 1236 wrote to memory of 868 1236 0ac20821e984c36079a3b59799e14f40N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac20821e984c36079a3b59799e14f40N.exe"C:\Users\Admin\AppData\Local\Temp\0ac20821e984c36079a3b59799e14f40N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\FilesED\adobsys.exeC:\FilesED\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD56f3ae4261c6ec1f3c9b3eed3eb405887
SHA15e5c4b8e54cf53f732974dab1a2d623a940bccb9
SHA2561cd48f46c58460c614df4fcb9f34540de9bfa33e14c355b85da322c98875effe
SHA512b6fe6e8cc3b481bb3c366d20a999b8385d42ce4a4690eeda8b768cf6c57919cb3137d9f8bb35c82841cf3a41cccac4f525ff8ee3c06496e856b7543ca6abdf80
-
Filesize
562KB
MD5473abca5f7cae4146ecfade998132936
SHA19a475d72ad5e70fe58eb8dd8f1956dc2515bf7d8
SHA256cb0ed78273db82ececcfe77766be100053b75efb8a2c157f6658eb39af49686d
SHA512bd89a312a19c317907ba5e67e95fc83568ceae76f6855e0f8a6da385e12a46253f6d3507adb29bc66b6df88e5a8966b638c695d0e690981c49eec554358875f8
-
Filesize
2.7MB
MD522a34fcecd91faa5e75d2dc2cbb090bb
SHA1158426b6ff3e2113dba85f603330b873bf5f6e82
SHA256b57e096001245237210044e1309e40dde64d81518edf017c9e8905892d90d483
SHA51232110e8a12c00c6d3d775babda86be4072ded0f111746b228ed2fbec645ff13087831743ec8b4452c438e758d950ebeaa90a233b9b45901b5a766eb602dfbee5
-
Filesize
199B
MD561890e91cbc70a9c1c26e5794f7f7133
SHA1dfe1cafe9b954ccbd04d9015d52c7d9bf356d8fd
SHA25600e174a09a2f5d45695e3c16426b4ded3e97356a8605c236ff18a3c85237028c
SHA51222fed84795da4ed8fae4810d99eb03d572dbc86df587495779045e803db14ac62a0b5b803c3b30e2f6cc7b7ce0926bfd64e2740e2ab159a13dcd4146e9e616eb