Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
eec4289984c9bc0ebab6c2fcecf482a0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
eec4289984c9bc0ebab6c2fcecf482a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
eec4289984c9bc0ebab6c2fcecf482a0N.exe
-
Size
2.7MB
-
MD5
eec4289984c9bc0ebab6c2fcecf482a0
-
SHA1
122f6e27e4cd6713307807bba6ccc4b6ef395023
-
SHA256
09dffc978af2e70f62549ef7662d74d460d5dd187c53c40dfd3e5c1098f7396c
-
SHA512
9966442055563034e2faf6b09fe7803759540e4567233c4a807fd81c0256e3818825b35f3ef23b8e2a02252bf0046e056565b7fcd775520b6292d21c68f14c74
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpQ4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1192 adobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWK\\optixsys.exe" eec4289984c9bc0ebab6c2fcecf482a0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPQ\\adobsys.exe" eec4289984c9bc0ebab6c2fcecf482a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec4289984c9bc0ebab6c2fcecf482a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 1192 adobsys.exe 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1192 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 29 PID 2324 wrote to memory of 1192 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 29 PID 2324 wrote to memory of 1192 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 29 PID 2324 wrote to memory of 1192 2324 eec4289984c9bc0ebab6c2fcecf482a0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec4289984c9bc0ebab6c2fcecf482a0N.exe"C:\Users\Admin\AppData\Local\Temp\eec4289984c9bc0ebab6c2fcecf482a0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\UserDotPQ\adobsys.exeC:\UserDotPQ\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD52d859e893907fba9fc9377cbd34585b9
SHA1c795538aeb00339b72136e1ac34c4936b0a712a9
SHA256c7bfb375a70154fe6abffc24f98655fad89b026d7cee100c9773aff625df29d3
SHA5129fd5e7c1edffbf68a0a66d683949823f6ce69d4e28370440391ed8b5e2d65bf2268bf78145b29d423ffd4195bac6dfd58d95a11f9dbe0c273699ffc10e5da65d
-
Filesize
203B
MD50322a63e4a68359f03a6cdccaa5d20be
SHA106d54299096a27fdac476e8174d4e9458314dcb6
SHA2560a1ccd4385aff13bdb55f559ca59906433f2e4f1894b256097fb832f6adf684e
SHA512df61409332797698ec0e01e57635c5f29a0c9c8d680dd7a1ea6ec732ab7d8c9796ac01f9b957e784ddf6852b4241784060b27a344d8f20915484ca0a0cbaa46a
-
Filesize
2.7MB
MD5069299f0170bc0275bb66e113207891e
SHA1045de87cac7b59445aceda3fa8c3c736e454c5e5
SHA256c4a0a62b905108a8e94404664cecdf2ad40d59a69186af1abd07a791e289636a
SHA512ef0199c3a983114757dcac850c2077649a4580b07f38cef003b89f09c6a4b1296df81b00be97b5ceb22a8f313f00e3e98a18cb95c2e3a34b0c59626711453ec1