Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 21:16

General

  • Target

    0ac20821e984c36079a3b59799e14f40N.exe

  • Size

    2.7MB

  • MD5

    0ac20821e984c36079a3b59799e14f40

  • SHA1

    26bff7b911da4ab212d87c2ea0e3c9275d4d624a

  • SHA256

    4663d4eac037aacc78bf47a5aca7ef3eea303f1c9ed08c77f36ed4b1d6867a61

  • SHA512

    45229bfac56a99ea5bfa4b63f6f817fe236da1113e833a28eb631652ac90589921773e83c70d8ffd2cb64eb860a98f3eaae859eda97e84382ba2c71d4c4d87fb

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpO4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ac20821e984c36079a3b59799e14f40N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ac20821e984c36079a3b59799e14f40N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\FilesED\adobsys.exe
      C:\FilesED\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesED\adobsys.exe

    Filesize

    2.7MB

    MD5

    6f3ae4261c6ec1f3c9b3eed3eb405887

    SHA1

    5e5c4b8e54cf53f732974dab1a2d623a940bccb9

    SHA256

    1cd48f46c58460c614df4fcb9f34540de9bfa33e14c355b85da322c98875effe

    SHA512

    b6fe6e8cc3b481bb3c366d20a999b8385d42ce4a4690eeda8b768cf6c57919cb3137d9f8bb35c82841cf3a41cccac4f525ff8ee3c06496e856b7543ca6abdf80

  • C:\KaVBTQ\bodasys.exe

    Filesize

    562KB

    MD5

    473abca5f7cae4146ecfade998132936

    SHA1

    9a475d72ad5e70fe58eb8dd8f1956dc2515bf7d8

    SHA256

    cb0ed78273db82ececcfe77766be100053b75efb8a2c157f6658eb39af49686d

    SHA512

    bd89a312a19c317907ba5e67e95fc83568ceae76f6855e0f8a6da385e12a46253f6d3507adb29bc66b6df88e5a8966b638c695d0e690981c49eec554358875f8

  • C:\KaVBTQ\bodasys.exe

    Filesize

    2.7MB

    MD5

    22a34fcecd91faa5e75d2dc2cbb090bb

    SHA1

    158426b6ff3e2113dba85f603330b873bf5f6e82

    SHA256

    b57e096001245237210044e1309e40dde64d81518edf017c9e8905892d90d483

    SHA512

    32110e8a12c00c6d3d775babda86be4072ded0f111746b228ed2fbec645ff13087831743ec8b4452c438e758d950ebeaa90a233b9b45901b5a766eb602dfbee5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    61890e91cbc70a9c1c26e5794f7f7133

    SHA1

    dfe1cafe9b954ccbd04d9015d52c7d9bf356d8fd

    SHA256

    00e174a09a2f5d45695e3c16426b4ded3e97356a8605c236ff18a3c85237028c

    SHA512

    22fed84795da4ed8fae4810d99eb03d572dbc86df587495779045e803db14ac62a0b5b803c3b30e2f6cc7b7ce0926bfd64e2740e2ab159a13dcd4146e9e616eb