Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe
Resource
win10v2004-20240802-en
General
-
Target
ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe
-
Size
2.7MB
-
MD5
617b35f38748aed9d3ab8e269e49b7f8
-
SHA1
ab549551f6c87858b4ab4f1f79b4b08fc14bf53c
-
SHA256
ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7
-
SHA512
56a7696c0ddc7e853d63797477ad3e7560d37d80759bd7980f9cbecbdb2bba8bc07a06f83d552a6f4d63e04b4733d63f6b2b9235701d22df75be77bad68c9758
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Sx:+R0pI/IQlUoMPdmpSpf4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5140 devbodloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe70\\devbodloc.exe" ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQ1\\bodxsys.exe" ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 5140 devbodloc.exe 5140 devbodloc.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4556 wrote to memory of 5140 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 86 PID 4556 wrote to memory of 5140 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 86 PID 4556 wrote to memory of 5140 4556 ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe"C:\Users\Admin\AppData\Local\Temp\ddba06d57625c8b4176b548351225a35c316ae9dd8fdf3c25d1c7a5cba78e9d7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Adobe70\devbodloc.exeC:\Adobe70\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5732ef919eddcd5df1c6060069cae3460
SHA162eb89c327d79aaf360cf87b12a095a7bd859efb
SHA25679bdf9da481fc7f2bd09f78212b0fa9b217ca1513d1d781ea1c28874191a7293
SHA512a5868846786fa9b60239494cd6b633a5d78aeb55af082d4654757140a9f7ac8ffc58ac8d72fa206df8e96d0f767900d8f757bb7da1e09441e5d761150c60b916
-
Filesize
230KB
MD516444c5d04b9aedbef4c67d049d65a41
SHA10868eab7a268895ecc0394da8d0d34ac1c4d85e8
SHA256b492b22bff0b934dbb8a1ebc89365c62d4ef4c17d5488e71a031087c7c954e58
SHA5126ab065d4e2442c0467cff270c414ba554c631844b2af1bb94c8829acbe5956a0126394f41d86f15c2df3fba79d1e22742d9c71c0d7f13016e7dca6cce0d931f5
-
Filesize
2.7MB
MD5976fbe520d0a6b51b369dc6f7621bf89
SHA1901972746b8866b50d970eda9cd3ac396f204dec
SHA2564659e6270b46097d7f2803bf852102b521230705a9c73c76e9520c07f52bcd78
SHA512431d296fa287750cf272f99b8c109e8b5f15fd60af85c767afbf40a4b0694c96495760bf1be5fdc6b61b090ba5ad63a3a7dcc212ab8109949025a542598b1f30
-
Filesize
203B
MD551a1df75041b82ac25c6202286d309c4
SHA1b8a0820fa494ddd4f3c0293a556379cdbe9c453e
SHA2562bb0f72d3c7c0fe7f41c177e9b537364a2f9541747e87468c23571596956c8fc
SHA5125669ee08f69b9e16803e59862795bf5010a0ff4f38777d456501d6563325fc587a42785adfd2e38b34613d84b4cd37dd4da68865362706dce4c11ec15fd28921