Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 17:55
Static task
static1
Behavioral task
behavioral1
Sample
3ad5ebf46dc77d06551144119520bdb0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3ad5ebf46dc77d06551144119520bdb0N.exe
Resource
win10v2004-20240709-en
General
-
Target
3ad5ebf46dc77d06551144119520bdb0N.exe
-
Size
2.7MB
-
MD5
3ad5ebf46dc77d06551144119520bdb0
-
SHA1
2e86585df470a06496f7247965dc2063ceb333c5
-
SHA256
da44fdb0537bdd20ba8932fcd0f9febf8e0a20aa03aa5534e15c54305c46081c
-
SHA512
a46e4504740bcbdb6e599c980e3d3167696f9770d9f029c1b837a511184eea54103d5aa8eb42eb7b7a3b50c35455cb5fa1c384a5e862e50b4770c003c9a38adb
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2556 devoptiec.exe -
Loads dropped DLL 1 IoCs
pid Process 900 3ad5ebf46dc77d06551144119520bdb0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE0\\devoptiec.exe" 3ad5ebf46dc77d06551144119520bdb0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAX\\bodxloc.exe" 3ad5ebf46dc77d06551144119520bdb0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ad5ebf46dc77d06551144119520bdb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 3ad5ebf46dc77d06551144119520bdb0N.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe 2556 devoptiec.exe 900 3ad5ebf46dc77d06551144119520bdb0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 900 wrote to memory of 2556 900 3ad5ebf46dc77d06551144119520bdb0N.exe 29 PID 900 wrote to memory of 2556 900 3ad5ebf46dc77d06551144119520bdb0N.exe 29 PID 900 wrote to memory of 2556 900 3ad5ebf46dc77d06551144119520bdb0N.exe 29 PID 900 wrote to memory of 2556 900 3ad5ebf46dc77d06551144119520bdb0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe"C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\IntelprocE0\devoptiec.exeC:\IntelprocE0\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5be857ea1b9f45225f88b1bae06b34de7
SHA16dca8f6340b7cc145b8d73056e7bfa784b61c176
SHA2569573dc6c0c16f17a856464d620e9f6c5088040f555622a11dcda42a6819905e8
SHA512fc12d172b1248a94eb832f88d51fb10ea9944e689c4957996af9862c9f1c930cafe82b87ee801e4cf67014d953db543a19668336facd778098f17112fe3460b4
-
Filesize
2.7MB
MD58da79cc1de9e9e3127868fb08627d82f
SHA14d56034fd225562e26b4b23f748a2049a5f134a4
SHA256fcc1861051f9d1e6a7e1c2cded41c6e053d346d803f710f2cb66d26e2d785834
SHA51261481aa0be1a302e5c77698605dd88bc6a34261cd2aaf586703da04effbfdcf1ec839c4d6f12b6b5799ab48997098c6cd02536f5b207ecd003dfcb560edeb81a
-
Filesize
2.7MB
MD52be10dc68254bc15a7662bebf1d1ba9a
SHA1f3bbd5d30059e4b742f326e0f3755f9c27fbd5d3
SHA25638d80b5c0378898a7985400985d30f89dbe4469d11b4debd15f27931d06266a5
SHA512b29a63002e7a4bd8351ef7d44c3eb0584e09f2d1a5448130674f45c0c77c69613deccdd189d06ce6c2f09c7c0e6ef298275985958f5b095c0edab1c8d933532e