Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

933ef546ef...0N.exe

windows7-x64

7

933ef546ef...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 21:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    933ef546eff7c6f5a29b642af99a7cb0N.exe

  • Size

    2.7MB

  • MD5

    933ef546eff7c6f5a29b642af99a7cb0

  • SHA1

    8bb0e318ab3dfa730d1692858fd01a2b9a8c50d7

  • SHA256

    861018a3b9c12f6aa2f54f4a09bc97f79591f741aba32f245c73e02281184bdb

  • SHA512

    c6debc1db7eae826dddb3efec5809fd9ce0573dc8e03108072bfe50ffa624687dc8f853db43717f85a67e0005ef52b00aa7076b0e9f462409e5e46cae6c6500b

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpE4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\933ef546eff7c6f5a29b642af99a7cb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\933ef546eff7c6f5a29b642af99a7cb0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\IntelprocSQ\devdobsys.exe
      C:\IntelprocSQ\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocSQ\devdobsys.exe
    Filesize

    2.7MB

    MD5

    06cf01d932dc282aa7f9a7747b814d18

    SHA1

    16b575512c48ff2bf068e038035ed0d391f1678f

    SHA256

    910a90b82083b3d91ec65d75b5f4c2a3c151c83b42563e0825769405ea71f6d2

    SHA512

    1a5e633f109590a20b7bdd4e57337b69f5245761c89e8b6b80dedcc44ef12cd8eab848b0eb6d56f75eb90c2765805e437a54f9ee8c0dbde2a20b50c7fa2b1670

    Download Submit

  • C:\MintD0\dobdevec.exe
    Filesize

    2.7MB

    MD5

    9e58397ae0e247c30423a6a8e2c625ac

    SHA1

    e01bff3f654d44a6eeb58b80f7988d3538da529e

    SHA256

    71fb56a0c9aa7380575c3e96626abafd95d3f2e4d85d1b2958ac0daa005898de

    SHA512

    1be34dd0c6133589fa0ab7496fc7b5534aa82b4a1eb1150dcfe81aa5f4ca2fd38d9d8e571c1c31c4c260ce0fb836c419690d0fe26bbca82210140deeaf63f97b

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    a72ed7e9e2e64d9063958120dedbbb92

    SHA1

    620fba372a29b6a787f324f8b1019a3ba1b0bb5d

    SHA256

    384f6327f774eae3f8e7f3cff8d5e65edd367638034e3ece48a6199953bb8126

    SHA512

    0203757193dcd54369c355d0743453e01c9d46df7dbefc6160c53ef244c30a7699b40e3dc3d2f156cd778a75eec7069aed890abd7fd7294a56aaebcb5af160d2

    Download Submit