Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 17:37

General

  • Target

    48659fa38f659570647db84a9e90e600N.exe

  • Size

    2.7MB

  • MD5

    48659fa38f659570647db84a9e90e600

  • SHA1

    611d6f1dc7321edeb5270b6f00496a47e0f680e1

  • SHA256

    4371806585704c25df9e64848b614d7b649266c88d2557388e9b052dc1e10ecf

  • SHA512

    1b073f2d8a33fb06bb31cbfba1a16e781514f406ca216fbf204248e20d1fbba270f9c9157fecd31f623a3ca3f77df23e99028c3ee35064467abfb182ec597685

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpf4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe
    "C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\SysDrvVF\xbodloc.exe
      C:\SysDrvVF\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintLH\dobasys.exe

    Filesize

    2.7MB

    MD5

    20ef143759d97ab3f43f380bd3a0568d

    SHA1

    99fbf4445eaa82b754a655a5035217ea4ad082a9

    SHA256

    cbe37cfd55881c07cb41f1eb8448f463c22b4faa851c0da4a3f0937549c2edbd

    SHA512

    8faea74c0cf71e19b60d87bf7edec5ec0c36fbfeacf3fbc73f13c9e32f89976c2a089b5cba5ad374656e78319b9d14a29fda986c26ffb600d8652b25f209ae54

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    0367423623b2bb92b99fe5f4d5bde38b

    SHA1

    308dc63bef11962654a3903bc9b94ef5382ce1a6

    SHA256

    4c1ee03db012d05f1bffd3c99198a8c8c44866bba392298e12eb2bf77fb6d22f

    SHA512

    0949c4d864c76dc0811a3a4a3dc1a7df4f3d031d7fb746a1294d3ad14a766851063d8f9c7225d08b73c283d9bf4f0e51999834b1fd7d02053db034096dee6905

  • \SysDrvVF\xbodloc.exe

    Filesize

    2.7MB

    MD5

    ed9d7f1fc0378e26a4813420fc51519a

    SHA1

    b8b9274ef29a53ffb3e563e473f4243156a2c3f6

    SHA256

    2ab361a851d6bd104ccea99e26625a84836cdb7795a392e60bc700d23dd62c12

    SHA512

    9252875ef18da7008824019138b07abf7788b18a3b76ea25f5be46679c15de6f578a56bfe941389b1067f055b07892aedab3e1ec572ee1ce9a79b1c468527048