Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
48659fa38f659570647db84a9e90e600N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
48659fa38f659570647db84a9e90e600N.exe
Resource
win10v2004-20240802-en
General
-
Target
48659fa38f659570647db84a9e90e600N.exe
-
Size
2.7MB
-
MD5
48659fa38f659570647db84a9e90e600
-
SHA1
611d6f1dc7321edeb5270b6f00496a47e0f680e1
-
SHA256
4371806585704c25df9e64848b614d7b649266c88d2557388e9b052dc1e10ecf
-
SHA512
1b073f2d8a33fb06bb31cbfba1a16e781514f406ca216fbf204248e20d1fbba270f9c9157fecd31f623a3ca3f77df23e99028c3ee35064467abfb182ec597685
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpf4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2992 xbodloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2116 48659fa38f659570647db84a9e90e600N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVF\\xbodloc.exe" 48659fa38f659570647db84a9e90e600N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLH\\dobasys.exe" 48659fa38f659570647db84a9e90e600N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48659fa38f659570647db84a9e90e600N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 48659fa38f659570647db84a9e90e600N.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe 2992 xbodloc.exe 2116 48659fa38f659570647db84a9e90e600N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2992 2116 48659fa38f659570647db84a9e90e600N.exe 29 PID 2116 wrote to memory of 2992 2116 48659fa38f659570647db84a9e90e600N.exe 29 PID 2116 wrote to memory of 2992 2116 48659fa38f659570647db84a9e90e600N.exe 29 PID 2116 wrote to memory of 2992 2116 48659fa38f659570647db84a9e90e600N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe"C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\SysDrvVF\xbodloc.exeC:\SysDrvVF\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD520ef143759d97ab3f43f380bd3a0568d
SHA199fbf4445eaa82b754a655a5035217ea4ad082a9
SHA256cbe37cfd55881c07cb41f1eb8448f463c22b4faa851c0da4a3f0937549c2edbd
SHA5128faea74c0cf71e19b60d87bf7edec5ec0c36fbfeacf3fbc73f13c9e32f89976c2a089b5cba5ad374656e78319b9d14a29fda986c26ffb600d8652b25f209ae54
-
Filesize
202B
MD50367423623b2bb92b99fe5f4d5bde38b
SHA1308dc63bef11962654a3903bc9b94ef5382ce1a6
SHA2564c1ee03db012d05f1bffd3c99198a8c8c44866bba392298e12eb2bf77fb6d22f
SHA5120949c4d864c76dc0811a3a4a3dc1a7df4f3d031d7fb746a1294d3ad14a766851063d8f9c7225d08b73c283d9bf4f0e51999834b1fd7d02053db034096dee6905
-
Filesize
2.7MB
MD5ed9d7f1fc0378e26a4813420fc51519a
SHA1b8b9274ef29a53ffb3e563e473f4243156a2c3f6
SHA2562ab361a851d6bd104ccea99e26625a84836cdb7795a392e60bc700d23dd62c12
SHA5129252875ef18da7008824019138b07abf7788b18a3b76ea25f5be46679c15de6f578a56bfe941389b1067f055b07892aedab3e1ec572ee1ce9a79b1c468527048