Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
af89226bdf1edff747196fe8aab4eef0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
af89226bdf1edff747196fe8aab4eef0N.exe
Resource
win10v2004-20240802-en
General
-
Target
af89226bdf1edff747196fe8aab4eef0N.exe
-
Size
2.7MB
-
MD5
af89226bdf1edff747196fe8aab4eef0
-
SHA1
5bea1fc061f4a3d6703ebbacc1b2619e0dd8bc77
-
SHA256
3caac343f90a0b15048847dd1a04b09b1d6b9d2b1a57764fe63c4aa433fd5698
-
SHA512
7ca724a17672b7e1403ee0385b08a6cffe0627c21b61fff2d3d53eba36e6f661e8c3cddbe917afe7a702d0f6ab1a6982f4d91c1acaa8b0f26210d49c51149ffb
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpo4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 740 abodec.exe -
Loads dropped DLL 1 IoCs
pid Process 2320 af89226bdf1edff747196fe8aab4eef0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH8\\optidevloc.exe" af89226bdf1edff747196fe8aab4eef0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUF\\abodec.exe" af89226bdf1edff747196fe8aab4eef0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af89226bdf1edff747196fe8aab4eef0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 af89226bdf1edff747196fe8aab4eef0N.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe 740 abodec.exe 2320 af89226bdf1edff747196fe8aab4eef0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2320 wrote to memory of 740 2320 af89226bdf1edff747196fe8aab4eef0N.exe 30 PID 2320 wrote to memory of 740 2320 af89226bdf1edff747196fe8aab4eef0N.exe 30 PID 2320 wrote to memory of 740 2320 af89226bdf1edff747196fe8aab4eef0N.exe 30 PID 2320 wrote to memory of 740 2320 af89226bdf1edff747196fe8aab4eef0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\af89226bdf1edff747196fe8aab4eef0N.exe"C:\Users\Admin\AppData\Local\Temp\af89226bdf1edff747196fe8aab4eef0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\IntelprocUF\abodec.exeC:\IntelprocUF\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c0235c921b7fb19d45d916d40544e638
SHA1efaa162d9e3c2ddfa90c1fc2abf793e6c9bafc71
SHA256211e6b5371782127d9e65d5b79cc21b3db1512fc0b40dea49d6605f243b8445f
SHA51286f0c0a47eda0e0bd4179de200bbf510f965d025ec59c50926863093d1cc06ff0a39a6567f34e6ddad41b0ad7183a078a71bb21718fb238657a0457573036517
-
Filesize
207B
MD589ff5c388555c7e4f6febeda62822b3d
SHA1489683a07481d40346f09b3ae5acb3f8d95dfcf9
SHA256c577543638741796c47cc6aed528f830cfc20e0ff5572725ccfebf8e97088229
SHA512e377ee8d5a888e27bb8414acc4ba7ff458a001fbceac54d3fa83f370f6469a0660a8c4d95d76e0cd93fed9b152717723abcbea43995b3f1ae05b7ab60fef9354
-
Filesize
2.7MB
MD565f7d3574cd0a228b4d78b0cc0c69841
SHA1253a9a144bbfeec3c4bc87b37856332efdf557b4
SHA256e4b0957c609865cab63ff1028c0d869844ef3cf6d87dae1e9a193125d2bae466
SHA512d1f6ff0c15605ea025865f5d5074d59d6c609966a7772d2f1866ca7ee82e8a1187387648721643a358113ea286f2b3c45ec02777113fa44fddd8d930f024fc47