Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f009fa4fbf...0N.exe

windows7-x64

7

f009fa4fbf...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f009fa4fbf36760aeb5a8ca0d3b21910N.exe

  • Size

    2.7MB

  • MD5

    f009fa4fbf36760aeb5a8ca0d3b21910

  • SHA1

    09bdc6a1e3ab136737f74456199caa692033b568

  • SHA256

    887a8dec2685426b2bc0fe1364671cb9c0e4a76981ba9e5d61835fb4ca90593b

  • SHA512

    93c3d27214feb5af490c126771467e85b15eefb5e5fe887050218e70af60d6445017d40a2443cfaf0c695f6260b0f2ecd25d758a39de609b4cf67b613cbf571f

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe
    "C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\UserDot1E\xbodsys.exe
      C:\UserDot1E\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZQR\dobaloc.exe
    Filesize

    2.7MB

    MD5

    fbd767d414062358b6ccd5d92567abe9

    SHA1

    07ef170541bda0e9001d3948dd0501c4d2bea98f

    SHA256

    de8e24cf37f64c4b7dfdf2d45ade766193db2e682ea56c829e8dfd2db6efa114

    SHA512

    608ff83c4ccbd15e79594426aa7cf841ea73d550e0b9f1b318be05c7bf673f231249e73ed899b6572d6e5c9f47cbc23226a4615ec197bc63c10d542e4478b543

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    201B

    MD5

    d4a303df285cd5bb250cce245105207b

    SHA1

    26b6efc2e6a17e5e5805928f0aca94e664ece299

    SHA256

    ee8610a33ae9179be1f3ed65e7681550b5b18f967934d37ca02188c2a5578fea

    SHA512

    c2645a28c7f2e778f1b99c1fcd7cd59f1c7f64dad6ea4fd0c6cbb88417957675fbefec067c0b13045195d395d05ec2e18941f8c761690985386873727a470747

    Download Submit

  • \UserDot1E\xbodsys.exe
    Filesize

    2.7MB

    MD5

    d1ee36b4dc48532766bfc507b24b3feb

    SHA1

    6e3dc2865aef4c77fe64ce99306da9ddde9788dd

    SHA256

    9aebeaf304569667c5dc6433e204faceef84ba016f6f092565987d483fe18e70

    SHA512

    4cb751ecd954fa6b14bce2e7aa1aec88f495bc891337745ed9113a9c8723caffc25ef0a3bcac6e8ca6984c26e7549b49f5294a3845a82ba858577d13fac13de3

    Download Submit