Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
f33c2afa2d45c5784439c61a7d9009f0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f33c2afa2d45c5784439c61a7d9009f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
f33c2afa2d45c5784439c61a7d9009f0N.exe
-
Size
2.7MB
-
MD5
f33c2afa2d45c5784439c61a7d9009f0
-
SHA1
273be5be75d780b58097edf35d3bd0610309c476
-
SHA256
a087c86a90741d6de9a7bba11f97fcbc81a7c5f76561a3960bdfcce02c44c516
-
SHA512
da24ec5efaf02788c44121fe676dfa1e833c0c4ee8ad0f6023f1d7f807f91d1bb585e930a523111c0ba311319d9a817bfc11067d34ba657884177bfd85e00d68
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1680 devdobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQA\\devdobec.exe" f33c2afa2d45c5784439c61a7d9009f0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7T\\optiaec.exe" f33c2afa2d45c5784439c61a7d9009f0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f33c2afa2d45c5784439c61a7d9009f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1680 devdobec.exe 1680 devdobec.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1828 wrote to memory of 1680 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 86 PID 1828 wrote to memory of 1680 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 86 PID 1828 wrote to memory of 1680 1828 f33c2afa2d45c5784439c61a7d9009f0N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f33c2afa2d45c5784439c61a7d9009f0N.exe"C:\Users\Admin\AppData\Local\Temp\f33c2afa2d45c5784439c61a7d9009f0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\SysDrvQA\devdobec.exeC:\SysDrvQA\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5e9b0ea5e415163b6a2131d739b6a749b
SHA1304d7dc3ca0559ca63bae34f56dbc4b64a788973
SHA2567e19314e87d3bddbf0549abb12177dbf22e570f9ec7d1666a74b5ca0b93e05aa
SHA512a79db4529ff4df0d9ee0d9a3cf7c23728057c067de0b13226b34b1fbb4b8748585dc87fd7a2d3d9582e33d149535108b81febea88b84cbcc96afafe5c5389240
-
Filesize
2.7MB
MD5422027edc8f406c2919a3b2ac3350134
SHA101e3440d8ed6d4e2dcf9710a128a527103f8bb0e
SHA256b1078e23e3989ed1d6041e2f3c98d4c6b2ddfa5ea8ab0c3850e840ef9c567b60
SHA512edf06be7ded3a8857504eeb076a306ba0b57c0b30ee5f955c1121e8311ea8b9edaffcbfd99d98944f5f39cfe89a0fe6000be2d4afb955ad890fadb430c129e20
-
Filesize
203B
MD517793016854aa85fddd9259baff35f27
SHA1ae285e826cf8dabcd35a0ff431b6ae45f37c9742
SHA2561c468b653a5f8c94ac7f36d56722c72f2455322faebdb14ee5d31c02240f7f9f
SHA512eb389363fb5e6b731636c59c4ae7baef21c6ff0a65c21a769b728c35b1853b9cb26c6654060bb84ce1953298de6c66326602e65fe1c7e6b418264d2f6ae5592a