Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
Resource
win10v2004-20240709-en
General
-
Target
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
-
Size
2.7MB
-
MD5
ab9c4ccea70454f8097b2dbfe4aa09e0
-
SHA1
2820cc3166ca0f1888ae003789a63d0ae46ea111
-
SHA256
eb92224b2a476f2a6118fdf8250b41aafc072fe671457e0bb2aefa9ec5b5fbb1
-
SHA512
ed1f75b507f5b5fcb6aca34449dbd96534d2c9145be07ca0dd9b84554e3558cc76b68ff4efb89e0b82ba143d72b7ee7f606b7fd03ec9ab52c51ad5b69c27450a
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Sx:+R0pI/IQlUoMPdmpSpe4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2324 xbodsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBC\\optiasys.exe" ab9c4ccea70454f8097b2dbfe4aa09e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1Z\\xbodsys.exe" ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 2324 xbodsys.exe 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2324 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 31 PID 2500 wrote to memory of 2324 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 31 PID 2500 wrote to memory of 2324 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 31 PID 2500 wrote to memory of 2324 2500 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\SysDrv1Z\xbodsys.exeC:\SysDrv1Z\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c54421aee8c5e70bcc09a8c41d71f2f3
SHA13f85ba24986f4af394ed09ea95ab58d01256ac1a
SHA2565c077541244e43647937a11ec1a6188effdaed84248f5b2514d4cbd069a56a7a
SHA51219ab82bf9306c32356e2d5e449a3239c6c95c910fa2da1a26aed862aed276d60c4da17627d0aac183d1e02b0ab4fcd7cbfcc5b1bda212d9969fd8d54b1d595f3
-
Filesize
203B
MD5d8704125f61678ad0b9549fbc9e7a450
SHA1a63827b116d929388aebedec143f4f6b822591a8
SHA256b586451c0fb0f631de9d3b961ac03c68561a86cb6ea7b99fd528718d78bcc6f0
SHA51246a49d4b2cac37e7977c4b2616a27c68ccfd6e39a9791fe494ddd39398413e65677a6b3ad431dabb65b101510d3d43286ff18b1b9f9b43bd913b74b3d17c698c
-
Filesize
2.7MB
MD5bae4091808cf9c7122e5cd3b1af90bb0
SHA141f8e38ef007736e9404fdd08b911719864ed6a8
SHA256c6878269f0cfb87b1f7c8e7275e02818d20ee0b0fcf1d04c9d1279d58b1114a8
SHA512a1c806ebaa1ef80be3a34b42841607db21f54e1e92f630dfb7dfffa506e92b5ae50fee1011b7b45e0c1ada7b2899cf1d864d7c02b3955681b6714a14e2e8d3c4