Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 13:18
Static task
static1
Behavioral task
behavioral1
Sample
8a9951312d55bd0542805a6789f6b730N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8a9951312d55bd0542805a6789f6b730N.exe
Resource
win10v2004-20240802-en
General
-
Target
8a9951312d55bd0542805a6789f6b730N.exe
-
Size
2.7MB
-
MD5
8a9951312d55bd0542805a6789f6b730
-
SHA1
8fdb6c377e6640151cdf94f69f52e3a4640b76d8
-
SHA256
67a4f95a52bc663a51106d8eaf2f9357683077db0b3eb96e535c70f35b8c4d8c
-
SHA512
dfab7220d3aaea57b9cd8efa0aba3425f1d048f62659c0665e192f44769e38a855690f5c839606e6ac821a9949240f559e73d8e04c898a4fa0abb09feea5bde9
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSps4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1924 devdobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2716 8a9951312d55bd0542805a6789f6b730N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOT\\devdobsys.exe" 8a9951312d55bd0542805a6789f6b730N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXA\\optidevsys.exe" 8a9951312d55bd0542805a6789f6b730N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a9951312d55bd0542805a6789f6b730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 8a9951312d55bd0542805a6789f6b730N.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe 1924 devdobsys.exe 2716 8a9951312d55bd0542805a6789f6b730N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2716 wrote to memory of 1924 2716 8a9951312d55bd0542805a6789f6b730N.exe 30 PID 2716 wrote to memory of 1924 2716 8a9951312d55bd0542805a6789f6b730N.exe 30 PID 2716 wrote to memory of 1924 2716 8a9951312d55bd0542805a6789f6b730N.exe 30 PID 2716 wrote to memory of 1924 2716 8a9951312d55bd0542805a6789f6b730N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a9951312d55bd0542805a6789f6b730N.exe"C:\Users\Admin\AppData\Local\Temp\8a9951312d55bd0542805a6789f6b730N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\SysDrvOT\devdobsys.exeC:\SysDrvOT\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5e9e77f9e05d1a01536347b85facdfe6d
SHA10f11f4a41b1b89ec1fb30b9ffc15db6b07351eda
SHA256b5d9e1a1d88e63809667a6d572c41c3e035421ab3d0c2a48ae4b1bd81a04e4ad
SHA512e808f6dc32daef8f8a6b9dbd5c84a67ff23b933b107681e2d0a2af9722f8e67efa5106dde2fed433f357265b38bb523ab945285884e94e236c6a5ef1277b9666
-
Filesize
207B
MD5d47f58a179d02af50674171fc944014d
SHA17b42904085eb4dca2b2ed44a320df0ce4f521790
SHA256128e61814bbf6a994d727c54e6237a651cb7110a2723e9af52f215dbda3076a2
SHA5128bfdf7797931bd6da33c6146e06814b9854af1e8727adfc62d4f9b09ae016bf38e30997ccefd7b2911ce51433ea47864e2ba3d20fcc1c0bafe3f556e48ba0697
-
Filesize
2.7MB
MD5b9014da0ea489c487a37925cbf298e08
SHA1344c2a0c60d78f95ccbbcffd38e32f79c9f0a986
SHA25644e2d8277b5f0c93e99826857b02bfcad1ed7a555efd7ebbb99f400dde0be045
SHA512a3002bfd4dbff2c0f1e3297827004cbf75a2607fa036dbc8a98e2183d59c283af68fbf85765122ffaf2bf71912950e01da52df72e14a05b08752aed48b4a6690