Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/08/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe
Resource
win10v2004-20240802-en
General
-
Target
6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe
-
Size
2.7MB
-
MD5
6e8372e4098b599de1ac0fc3f0610d74
-
SHA1
6e4cab862e5e10f269118b88f20a8f699f853e80
-
SHA256
6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5
-
SHA512
0daf6f512eff68610a5f9808051b43fd781c2d0bfdb86c19d3f68c031653745492f33a5606a8efa48f79c579b1f06e2176ae7cd18efb5dfc451654a578f29a49
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBX9w4Sx:+R0pI/IQlUoMPdmpSpH4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3756 devbodec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\devbodec.exe" 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid76\\dobaec.exe" 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3756 devbodec.exe 3756 devbodec.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3804 wrote to memory of 3756 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 87 PID 3804 wrote to memory of 3756 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 87 PID 3804 wrote to memory of 3756 3804 6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe"C:\Users\Admin\AppData\Local\Temp\6e37c6c2c33286a420dc4fe2de3e7d5460f697ed7c15222ab398ff7d88a50be5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\FilesJL\devbodec.exeC:\FilesJL\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5333c844bb6043596ea09f43b3597a312
SHA1d02ced70c20a750cb3b09a0d5de564621fc2ead2
SHA25625b9129e0ade1b33210a14d6e87e0c566ec16f4d4973266e57778ecaa82b8d04
SHA512808076544e71c423fd5b894e61dcb31ba7d1e5bc20888622a5131d8772d6907a60eb92f02dd5422fb835161dda247fb5fcdb0e45351dd053aeec97f830d0c79c
-
Filesize
201B
MD548a083bafc45e59cfce6f6db1aa2767c
SHA140a2cdf204a265076e0373bef7072dac3516bfac
SHA2566f243196df9357a63bd43f8719c56c59654468ac10114b525be94356363c7f03
SHA51289ce1acbc1b77e5970007e2391543d187926f2b4a9c9c111d8c6de546f438b9dd45318f8def5837f79f768127af5b8294bc49f081bdb018377d3a5488010fa07
-
Filesize
2.7MB
MD585c612e24fd89c39b701d4a1b9fbffcd
SHA1c0a8a7395e8ac715e652cb79447334334a81eb1b
SHA256e2488cea0524cfbd9daef80bc17517625294a59467793f42d0d69494321afcfb
SHA5129b4ca428f79296aa2c053355f01d118f378055f62279976ad2dd09feeb867f044826aa3ad322e73afd0cbdf85f0de9ada08e843b239e275fa195ba2ead8200e5