Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
2f4f4b8611a4de7e51a7a1d1abf112c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2f4f4b8611a4de7e51a7a1d1abf112c0N.exe
Resource
win10v2004-20240709-en
General
-
Target
2f4f4b8611a4de7e51a7a1d1abf112c0N.exe
-
Size
2.7MB
-
MD5
2f4f4b8611a4de7e51a7a1d1abf112c0
-
SHA1
b7f38b465f4c5d4194a58f9b833f95add0f7bbed
-
SHA256
de35af036b7c4807ffc11ea69000de4f4a234381d4290b5ec0c96303769bdfab
-
SHA512
9f5079ee17d2c73e562ebe6a6eecf929b915cdef8a4c50274204cc078864701fe012a35abe5825844f543fd435aaf17542c0b7599d93e0cd8643f5d5258232e0
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpg4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 220 devoptiec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUJ\\devoptiec.exe" 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCJ\\boddevec.exe" 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 220 devoptiec.exe 220 devoptiec.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 476 wrote to memory of 220 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 89 PID 476 wrote to memory of 220 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 89 PID 476 wrote to memory of 220 476 2f4f4b8611a4de7e51a7a1d1abf112c0N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f4f4b8611a4de7e51a7a1d1abf112c0N.exe"C:\Users\Admin\AppData\Local\Temp\2f4f4b8611a4de7e51a7a1d1abf112c0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:476 -
C:\UserDotUJ\devoptiec.exeC:\UserDotUJ\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5dbaa6fbbe005b45bfd51942bc81c1b89
SHA1246398c807ffa422be1b81fb591e29f75192bab6
SHA256625643203d6db7d120fd0b467d801edf766fbbf6d0ed5b88d23d537f94410afd
SHA5126f7f05489e0ce0b12298aa742f6c625821812c7dcdca9cdc66f42718b5ec625e78fabc7491cce4fb7dd0ff69c43f24df47522e36db65c3db6c8e6d6af7506954
-
Filesize
2.7MB
MD500cc598c2e194ea4c33785b0b74c6690
SHA10d4789c33b8cdb2d8a65bc3fbf81841b1dcd4c44
SHA256620ea12132e929c57cf51b8c5d119f2c209d5cf58fa73fa657a2b1071f414d14
SHA5126ce40bd7de5309b98358626b942311833d0f5d83ccfe938b8476a4c50474ada742d301ecb37853b38ac017f3ca7f9d89820d8f830e23111001c4e4b39a70dd05
-
Filesize
207B
MD5a9d1fe73e1a6ebe77721f9db00b1fac0
SHA1aac96ed3ed475dce2aa4fc18ec0e960b7820afd3
SHA256dec227047783d39c9b9a4fa2763cc93586266dab91337e7c83f2766aa0990995
SHA51255a02c59f67681c6906698b67946541f6f100680deb54821e633743294812b8aee84dbb9523a5124bbf5749ad7a51f2ffdd577cd4e805e187e234e11c5862bcb