Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
Resource
win10v2004-20240709-en
General
-
Target
ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
-
Size
2.7MB
-
MD5
ab9c4ccea70454f8097b2dbfe4aa09e0
-
SHA1
2820cc3166ca0f1888ae003789a63d0ae46ea111
-
SHA256
eb92224b2a476f2a6118fdf8250b41aafc072fe671457e0bb2aefa9ec5b5fbb1
-
SHA512
ed1f75b507f5b5fcb6aca34449dbd96534d2c9145be07ca0dd9b84554e3558cc76b68ff4efb89e0b82ba143d72b7ee7f606b7fd03ec9ab52c51ad5b69c27450a
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Sx:+R0pI/IQlUoMPdmpSpe4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4932 xdobloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5W\\xdobloc.exe" ab9c4ccea70454f8097b2dbfe4aa09e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB58\\dobasys.exe" ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab9c4ccea70454f8097b2dbfe4aa09e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 4932 xdobloc.exe 4932 xdobloc.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3000 wrote to memory of 4932 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 88 PID 3000 wrote to memory of 4932 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 88 PID 3000 wrote to memory of 4932 3000 ab9c4ccea70454f8097b2dbfe4aa09e0N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Adobe5W\xdobloc.exeC:\Adobe5W\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD569e5c1ca3d2c7c161e1a12e2dfac2356
SHA1697d66e2fe23de0b8488be4e0bde7245e4cabbc1
SHA25649aae32ce6b2445b05aed0bfbf41380acda3ca6c9ac7a60586b1768014f98623
SHA512aa852729af94b30554adc3beecc19c85e1081b4a560792c5129171a87ef238720611dcda0daf47a09527aa0b95247da2195ec47604c914bc983fe8e3dcf114ed
-
Filesize
2.7MB
MD596cc18a621dd7164d0cbd094449184f6
SHA115c174cbe939e104d2802b159ed6b67aeae8161e
SHA2562f4ddee710503a4cf513cdf324624a2ed44967544bdefb81d6320bc85bd521a9
SHA512e08578bd7538f9c215429481f7dd73e4ee5d031209cf1e7ffd95f5e88234c791f07c18dc2dba0e04dada049713e0b45dc6567a9d3001ae885a73f76a0803497f
-
Filesize
203B
MD5e37546f2ab56c157c823d5e6fd6ba574
SHA1d3c5dd43633fc6830b22011bf51f58ea8dc051c6
SHA25673a37e60bc2a6773d85be610d2d253cfeb157306f63c0ea3306f183b93255fa3
SHA5126871036b9badd00a13404b9d8a98f3929d5c900c4f88a75bfc2690c8a92353d1bb4691963bf3659265780cfa460b98d88a648f8a3747afc9f994b767fd5f7e0b