Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
f009fa4fbf36760aeb5a8ca0d3b21910N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f009fa4fbf36760aeb5a8ca0d3b21910N.exe
Resource
win10v2004-20240802-en
General
-
Target
f009fa4fbf36760aeb5a8ca0d3b21910N.exe
-
Size
2.7MB
-
MD5
f009fa4fbf36760aeb5a8ca0d3b21910
-
SHA1
09bdc6a1e3ab136737f74456199caa692033b568
-
SHA256
887a8dec2685426b2bc0fe1364671cb9c0e4a76981ba9e5d61835fb4ca90593b
-
SHA512
93c3d27214feb5af490c126771467e85b15eefb5e5fe887050218e70af60d6445017d40a2443cfaf0c695f6260b0f2ecd25d758a39de609b4cf67b613cbf571f
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSpc4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2856 xbodsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1E\\xbodsys.exe" f009fa4fbf36760aeb5a8ca0d3b21910N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQR\\dobaloc.exe" f009fa4fbf36760aeb5a8ca0d3b21910N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f009fa4fbf36760aeb5a8ca0d3b21910N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 2856 xbodsys.exe 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2856 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 30 PID 2516 wrote to memory of 2856 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 30 PID 2516 wrote to memory of 2856 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 30 PID 2516 wrote to memory of 2856 2516 f009fa4fbf36760aeb5a8ca0d3b21910N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe"C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\UserDot1E\xbodsys.exeC:\UserDot1E\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5fbd767d414062358b6ccd5d92567abe9
SHA107ef170541bda0e9001d3948dd0501c4d2bea98f
SHA256de8e24cf37f64c4b7dfdf2d45ade766193db2e682ea56c829e8dfd2db6efa114
SHA512608ff83c4ccbd15e79594426aa7cf841ea73d550e0b9f1b318be05c7bf673f231249e73ed899b6572d6e5c9f47cbc23226a4615ec197bc63c10d542e4478b543
-
Filesize
201B
MD5d4a303df285cd5bb250cce245105207b
SHA126b6efc2e6a17e5e5805928f0aca94e664ece299
SHA256ee8610a33ae9179be1f3ed65e7681550b5b18f967934d37ca02188c2a5578fea
SHA512c2645a28c7f2e778f1b99c1fcd7cd59f1c7f64dad6ea4fd0c6cbb88417957675fbefec067c0b13045195d395d05ec2e18941f8c761690985386873727a470747
-
Filesize
2.7MB
MD5d1ee36b4dc48532766bfc507b24b3feb
SHA16e3dc2865aef4c77fe64ce99306da9ddde9788dd
SHA2569aebeaf304569667c5dc6433e204faceef84ba016f6f092565987d483fe18e70
SHA5124cb751ecd954fa6b14bce2e7aa1aec88f495bc891337745ed9113a9c8723caffc25ef0a3bcac6e8ca6984c26e7549b49f5294a3845a82ba858577d13fac13de3