Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 07:57

General

  • Target

    ab9c4ccea70454f8097b2dbfe4aa09e0N.exe

  • Size

    2.7MB

  • MD5

    ab9c4ccea70454f8097b2dbfe4aa09e0

  • SHA1

    2820cc3166ca0f1888ae003789a63d0ae46ea111

  • SHA256

    eb92224b2a476f2a6118fdf8250b41aafc072fe671457e0bb2aefa9ec5b5fbb1

  • SHA512

    ed1f75b507f5b5fcb6aca34449dbd96534d2c9145be07ca0dd9b84554e3558cc76b68ff4efb89e0b82ba143d72b7ee7f606b7fd03ec9ab52c51ad5b69c27450a

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Sx:+R0pI/IQlUoMPdmpSpe4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9c4ccea70454f8097b2dbfe4aa09e0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Adobe5W\xdobloc.exe
      C:\Adobe5W\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe5W\xdobloc.exe

    Filesize

    2.7MB

    MD5

    69e5c1ca3d2c7c161e1a12e2dfac2356

    SHA1

    697d66e2fe23de0b8488be4e0bde7245e4cabbc1

    SHA256

    49aae32ce6b2445b05aed0bfbf41380acda3ca6c9ac7a60586b1768014f98623

    SHA512

    aa852729af94b30554adc3beecc19c85e1081b4a560792c5129171a87ef238720611dcda0daf47a09527aa0b95247da2195ec47604c914bc983fe8e3dcf114ed

  • C:\KaVB58\dobasys.exe

    Filesize

    2.7MB

    MD5

    96cc18a621dd7164d0cbd094449184f6

    SHA1

    15c174cbe939e104d2802b159ed6b67aeae8161e

    SHA256

    2f4ddee710503a4cf513cdf324624a2ed44967544bdefb81d6320bc85bd521a9

    SHA512

    e08578bd7538f9c215429481f7dd73e4ee5d031209cf1e7ffd95f5e88234c791f07c18dc2dba0e04dada049713e0b45dc6567a9d3001ae885a73f76a0803497f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    e37546f2ab56c157c823d5e6fd6ba574

    SHA1

    d3c5dd43633fc6830b22011bf51f58ea8dc051c6

    SHA256

    73a37e60bc2a6773d85be610d2d253cfeb157306f63c0ea3306f183b93255fa3

    SHA512

    6871036b9badd00a13404b9d8a98f3929d5c900c4f88a75bfc2690c8a92353d1bb4691963bf3659265780cfa460b98d88a648f8a3747afc9f994b767fd5f7e0b