Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3ad5ebf46d...0N.exe

windows7-x64

7

3ad5ebf46d...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ad5ebf46dc77d06551144119520bdb0N.exe

  • Size

    2.7MB

  • MD5

    3ad5ebf46dc77d06551144119520bdb0

  • SHA1

    2e86585df470a06496f7247965dc2063ceb333c5

  • SHA256

    da44fdb0537bdd20ba8932fcd0f9febf8e0a20aa03aa5534e15c54305c46081c

  • SHA512

    a46e4504740bcbdb6e599c980e3d3167696f9770d9f029c1b837a511184eea54103d5aa8eb42eb7b7a3b50c35455cb5fa1c384a5e862e50b4770c003c9a38adb

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\IntelprocE0\devoptiec.exe
      C:\IntelprocE0\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    206B

    MD5

    be857ea1b9f45225f88b1bae06b34de7

    SHA1

    6dca8f6340b7cc145b8d73056e7bfa784b61c176

    SHA256

    9573dc6c0c16f17a856464d620e9f6c5088040f555622a11dcda42a6819905e8

    SHA512

    fc12d172b1248a94eb832f88d51fb10ea9944e689c4957996af9862c9f1c930cafe82b87ee801e4cf67014d953db543a19668336facd778098f17112fe3460b4

    Download Submit

  • C:\VidAX\bodxloc.exe
    Filesize

    2.7MB

    MD5

    8da79cc1de9e9e3127868fb08627d82f

    SHA1

    4d56034fd225562e26b4b23f748a2049a5f134a4

    SHA256

    fcc1861051f9d1e6a7e1c2cded41c6e053d346d803f710f2cb66d26e2d785834

    SHA512

    61481aa0be1a302e5c77698605dd88bc6a34261cd2aaf586703da04effbfdcf1ec839c4d6f12b6b5799ab48997098c6cd02536f5b207ecd003dfcb560edeb81a

    Download Submit

  • \IntelprocE0\devoptiec.exe
    Filesize

    2.7MB

    MD5

    2be10dc68254bc15a7662bebf1d1ba9a

    SHA1

    f3bbd5d30059e4b742f326e0f3755f9c27fbd5d3

    SHA256

    38d80b5c0378898a7985400985d30f89dbe4469d11b4debd15f27931d06266a5

    SHA512

    b29a63002e7a4bd8351ef7d44c3eb0584e09f2d1a5448130674f45c0c77c69613deccdd189d06ce6c2f09c7c0e6ef298275985958f5b095c0edab1c8d933532e

    Download Submit