Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
6c3031687cafae6998100b6eb3967aa0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6c3031687cafae6998100b6eb3967aa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
6c3031687cafae6998100b6eb3967aa0N.exe
-
Size
3.1MB
-
MD5
6c3031687cafae6998100b6eb3967aa0
-
SHA1
556aa91bb801c32bfdc726daca9e4d12bafa7b0f
-
SHA256
1ead031315e6adebdae83f3ed3651ce6231b40ccdea6a99258a7e513cb0aeedc
-
SHA512
62a0c0777556e7e8d5075710de4b7f29bf7adf090ae755289394d2c652896fa5c2b3d4128bf3f922a3628fa5db509be01ca18f36c9f42df1501314aad47c4d1d
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Su+LNfej:+R0pI/IQlUoMPdmpSpq4JkNfej
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 508 devdobloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5W\\dobxec.exe" 6c3031687cafae6998100b6eb3967aa0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHZ\\devdobloc.exe" 6c3031687cafae6998100b6eb3967aa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c3031687cafae6998100b6eb3967aa0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 508 devdobloc.exe 508 devdobloc.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe 4360 6c3031687cafae6998100b6eb3967aa0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4360 wrote to memory of 508 4360 6c3031687cafae6998100b6eb3967aa0N.exe 87 PID 4360 wrote to memory of 508 4360 6c3031687cafae6998100b6eb3967aa0N.exe 87 PID 4360 wrote to memory of 508 4360 6c3031687cafae6998100b6eb3967aa0N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c3031687cafae6998100b6eb3967aa0N.exe"C:\Users\Admin\AppData\Local\Temp\6c3031687cafae6998100b6eb3967aa0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\IntelprocHZ\devdobloc.exeC:\IntelprocHZ\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5a9b23c5e91937b45db1fd8df2565c137
SHA1f2b1a8ea65521ccaf034f9f9a75cdf36f79e9846
SHA2561fbc119ff68574605a7934217f95908d282aaa42198e216d893a25b2a792a6e0
SHA512f0967dbba268c006bff3e50dbc9b1596e94ab040178eff37b0b2a6ed621760dda076b85abd6161745e6777db9e97669550d90e4437f249e7445f7f84dec69081
-
Filesize
3.1MB
MD59e577329fac6b5e152f9be8a07aca600
SHA1cdcd4104395a73cf8c233e2324b3fab00cb0d631
SHA25669cc071384e7a647fc07a2c011ec62e255af57b1f8c547d61d14509a1923fe44
SHA512f01fea1392505a50490934ec639f1709e0783ecda02371a68d6cb300506c28346302663b8fdeb81b3e0635b80484b4b88c1f4cc8ba3dc9ea3184b3bf59097c1f
-
Filesize
207B
MD59f33661b63bebd9096dfc86ec1b80534
SHA175befb6039e6ccd45c34b3406ad7234947bae016
SHA2561a7c6084e49405d0e5112fc5d635a1aaa87f92c9e40626ae36823740b0216e73
SHA512bd5c4979eee50c75bbab52678ef9b5b99321e93dd0fdcb96aaf9292e78277a7bc70ea514c0d4ed1d71284e66a807d973612969cdbb4d740ca847a39b534105cd