Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3ad5ebf46d...0N.exe

windows7-x64

7

3ad5ebf46d...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ad5ebf46dc77d06551144119520bdb0N.exe

  • Size

    2.7MB

  • MD5

    3ad5ebf46dc77d06551144119520bdb0

  • SHA1

    2e86585df470a06496f7247965dc2063ceb333c5

  • SHA256

    da44fdb0537bdd20ba8932fcd0f9febf8e0a20aa03aa5534e15c54305c46081c

  • SHA512

    a46e4504740bcbdb6e599c980e3d3167696f9770d9f029c1b837a511184eea54103d5aa8eb42eb7b7a3b50c35455cb5fa1c384a5e862e50b4770c003c9a38adb

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3ad5ebf46dc77d06551144119520bdb0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\IntelprocG8\xbodsys.exe
      C:\IntelprocG8\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocG8\xbodsys.exe
    Filesize

    2.7MB

    MD5

    7843986ebd9fdcef201de170537d1cd4

    SHA1

    5f587a336c40de85d96cc75403d753c5fa9832f1

    SHA256

    aad8c45563560d3669e6ba8d98b9e07d3bcab6ba1babaa1d72f79e1c3f696655

    SHA512

    e0d0a871d85562aa27992de6de18344b98c1b5752bc6f9ece8f1c7d7906d3ef6297d92a7d537d8ac4c91fb4240f2edc36654da09768df89748f7b92958b64925

    Download Submit

  • C:\LabZOR\boddevloc.exe
    Filesize

    700KB

    MD5

    f3354f20196b88a901f274bdee7dfed6

    SHA1

    caddace2a706abafe70a9abe6456c316f154ef2f

    SHA256

    cd9ad92b4702cf52fcc4ad9e266c78724756727add9b6af5f95fe92bd28f0466

    SHA512

    0aa7d66d291177ae841588e203d3bb4b36c3729ff93d51ff623b22f9280acd859845ca2969e9e2c4969daea2093c182aeb03e60d993bcd1c6024583e52b22dda

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    2c04e76445f9e18172b6523d33e2b8f9

    SHA1

    46ed2562d5777d7f97482d76660ceedf8f7b4d29

    SHA256

    069a0d36c8601626e41f767d4430bede176917a0d8066d8497d8608d5da9323d

    SHA512

    bd853686dba3debedc3435df66dbc59c044e14edd6da1f78703d95221d0088b3cc8f5e36747280d54f1976a558500918eb2705d2baf8e7b2c010ea75912c2f37

    Download Submit