Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 18:30

General

  • Target

    6058ce6c1477c1d907a1f92788c0a020N.exe

  • Size

    4.1MB

  • MD5

    6058ce6c1477c1d907a1f92788c0a020

  • SHA1

    d4f6bf17cbe98ce4055f1a8adda914c2de4fd317

  • SHA256

    96eb97dae45a557ab485a9544134bc88428f970ac68c81061ba5d6452b15e6dd

  • SHA512

    7285e3f7c6a9ee68ff23404c1a01bb03c5c7d354dff57fcd1d78493056076e12bfde492a814490cef5813ed245a9491ecc432a8a4e63a02aa30ee9426adf70a7

  • SSDEEP

    98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmi5n9klRKN41v

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6058ce6c1477c1d907a1f92788c0a020N.exe
    "C:\Users\Admin\AppData\Local\Temp\6058ce6c1477c1d907a1f92788c0a020N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\UserDotAV\devbodsys.exe
      C:\UserDotAV\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintX1\dobaloc.exe

    Filesize

    4.1MB

    MD5

    b5994e96ad10209fea65ba41e91c8832

    SHA1

    738804faf78d51f659108ed3f95e89783a4f1905

    SHA256

    e74869080873c30ed415b99855916efae7d1c3e243b78e1b96b50817585bdf13

    SHA512

    02a58909008f7a2fd6e8224c98b3e070f28894ad409e1442dc772a2483c723c20a5b92b60b99300a88a5ec06dad4fc5f052ca1769ae2ffa7cc7ef97e619f5cbe

  • C:\UserDotAV\devbodsys.exe

    Filesize

    4.1MB

    MD5

    a1100419e9cac4c554062da9ba70d3f9

    SHA1

    fe43e0507af00b8f7437731f8c9974c9bba7b447

    SHA256

    74a0f1160485298e0538aaf0cfb3b94c0c543c45f86865eca9b11a9e9d193a06

    SHA512

    7c4d7a0114a3470be5cbf33ed33d4bf4baefb8626ee14edc089ed207b64ece621d0bf7a6ba84a6ebd33686765f119cca70217b46cf5c846daef6270d550e1de7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    3d6db926dd6e0a94b0078365dbadbf09

    SHA1

    4e64ce647cadbe2adccdf8dba6bbd5d89ea0c34b

    SHA256

    ad4bfdf72265c7c50a46b5a172c2d07c99ceb5027df2a9037e436820ba58a808

    SHA512

    eb1662382eb7ea5116f303e9426b23ac716ea0019c8f744fc1ef09084dda03d78347b75d5306113f9fb9d991aecc796e614bfe539a1625a31e449a93975f5df8