Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 12:03

General

  • Target

    89df74e783e31db93de93ec03cdd7aa0N.exe

  • Size

    2.7MB

  • MD5

    89df74e783e31db93de93ec03cdd7aa0

  • SHA1

    9b2f6ae72922ad4272103bb7e1cc5f8aa588cc2f

  • SHA256

    09afb153a9ebd54d3b143e3c8c85efe458783d40ccdf94b56e9f37b62ed14394

  • SHA512

    4b71b8d0613ef61dd5d43e913788ad07f28eec4f748d0e4bb7cc926999a3d8c0ab4011e2e92ff333d8ae62c6b764000ccb182f0511c3af4358c796eb21b5b92f

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBg9w4Sx:+R0pI/IQlUoMPdmpSp+4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89df74e783e31db93de93ec03cdd7aa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\89df74e783e31db93de93ec03cdd7aa0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\FilesQ7\devbodloc.exe
      C:\FilesQ7\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesQ7\devbodloc.exe

    Filesize

    2.7MB

    MD5

    07684fa528d3ce32572a04fff205ee2d

    SHA1

    70ce245f08d3e05ea821dbf8286254de42d6fd1d

    SHA256

    8f784adb472d2cfc175ab8a9bbdf4de297a23cf71d334e39e41135b1ad19c876

    SHA512

    afa25d73f1299a18cdceceb298d7592e5263cd3341c0b7152eb861d7fc491ad9e1d3b41d9bc9d4940a953560dd2c9701c9b6c76c0590d56d3c3ba8c23fd79891

  • C:\KaVBXY\bodxsys.exe

    Filesize

    37KB

    MD5

    ae5b366e72e43be2dbe9f82b57b0ab48

    SHA1

    04e0149d9f0808d8df97ec19385955dd917498b6

    SHA256

    c51e35651676ccdd200a8f7b134a256a337b5d024eda4d5fc750f5ee495fe309

    SHA512

    df0cd86fc560d7a176f86f0763fe0ebaaf9692e897ed029c9abb1dd4ef88c957a0d4444e0eabcd73dfd23d7cdbe8078eb9edd0bdf3a00e6c2c4792c2558ae8b9

  • C:\KaVBXY\bodxsys.exe

    Filesize

    2.7MB

    MD5

    52d4e3399dd8d752a161cbb248e9b9e7

    SHA1

    250459637b323396a50e9a43de733af5fbacf757

    SHA256

    8ceae163b5b1e4d0d16c4dae3e307b79d1ddc77b4f5e9a7774498cbb2ad61ac5

    SHA512

    4a5016cc49611f453ee90eeecf50d760bd0e3a5f89d5484df681febed10c19d43dabf07770bc6077a5d03cc28af3cfbaf56ba11ef5317a3a2ebe1fa45463a363

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    027ebd940d4bf6c7e1c727bb46376b00

    SHA1

    307de1038ba67f530b77009f0fa04efddae799bc

    SHA256

    eadd891ed8e7c579e669f702269bba2cc193f8edc965394e77b56e0ac77fccb5

    SHA512

    7a3db8f1db1ae1f788f395afcc01a6643d61219f89a1b0c3d038e1844d66474d415e0473186f345a53c55575fa8c174800c5ed7e72162f02c04675b21554c3a8