Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ab9c4ccea7...0N.exe

windows7-x64

7

ab9c4ccea7...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab9c4ccea70454f8097b2dbfe4aa09e0N.exe

  • Size

    2.7MB

  • MD5

    ab9c4ccea70454f8097b2dbfe4aa09e0

  • SHA1

    2820cc3166ca0f1888ae003789a63d0ae46ea111

  • SHA256

    eb92224b2a476f2a6118fdf8250b41aafc072fe671457e0bb2aefa9ec5b5fbb1

  • SHA512

    ed1f75b507f5b5fcb6aca34449dbd96534d2c9145be07ca0dd9b84554e3558cc76b68ff4efb89e0b82ba143d72b7ee7f606b7fd03ec9ab52c51ad5b69c27450a

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\SysDrv1Z\xbodsys.exe
      C:\SysDrv1Z\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxBC\optiasys.exe
    Filesize

    2.7MB

    MD5

    c54421aee8c5e70bcc09a8c41d71f2f3

    SHA1

    3f85ba24986f4af394ed09ea95ab58d01256ac1a

    SHA256

    5c077541244e43647937a11ec1a6188effdaed84248f5b2514d4cbd069a56a7a

    SHA512

    19ab82bf9306c32356e2d5e449a3239c6c95c910fa2da1a26aed862aed276d60c4da17627d0aac183d1e02b0ab4fcd7cbfcc5b1bda212d9969fd8d54b1d595f3

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    d8704125f61678ad0b9549fbc9e7a450

    SHA1

    a63827b116d929388aebedec143f4f6b822591a8

    SHA256

    b586451c0fb0f631de9d3b961ac03c68561a86cb6ea7b99fd528718d78bcc6f0

    SHA512

    46a49d4b2cac37e7977c4b2616a27c68ccfd6e39a9791fe494ddd39398413e65677a6b3ad431dabb65b101510d3d43286ff18b1b9f9b43bd913b74b3d17c698c

    Download Submit

  • \SysDrv1Z\xbodsys.exe
    Filesize

    2.7MB

    MD5

    bae4091808cf9c7122e5cd3b1af90bb0

    SHA1

    41f8e38ef007736e9404fdd08b911719864ed6a8

    SHA256

    c6878269f0cfb87b1f7c8e7275e02818d20ee0b0fcf1d04c9d1279d58b1114a8

    SHA512

    a1c806ebaa1ef80be3a34b42841607db21f54e1e92f630dfb7dfffa506e92b5ae50fee1011b7b45e0c1ada7b2899cf1d864d7c02b3955681b6714a14e2e8d3c4

    Download Submit