Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
6058ce6c1477c1d907a1f92788c0a020N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6058ce6c1477c1d907a1f92788c0a020N.exe
Resource
win10v2004-20240802-en
General
-
Target
6058ce6c1477c1d907a1f92788c0a020N.exe
-
Size
4.1MB
-
MD5
6058ce6c1477c1d907a1f92788c0a020
-
SHA1
d4f6bf17cbe98ce4055f1a8adda914c2de4fd317
-
SHA256
96eb97dae45a557ab485a9544134bc88428f970ac68c81061ba5d6452b15e6dd
-
SHA512
7285e3f7c6a9ee68ff23404c1a01bb03c5c7d354dff57fcd1d78493056076e12bfde492a814490cef5813ed245a9491ecc432a8a4e63a02aa30ee9426adf70a7
-
SSDEEP
98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmi5n9klRKN41v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4104 devbodsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAV\\devbodsys.exe" 6058ce6c1477c1d907a1f92788c0a020N.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX1\\dobaloc.exe" 6058ce6c1477c1d907a1f92788c0a020N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6058ce6c1477c1d907a1f92788c0a020N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4104 devbodsys.exe 4104 devbodsys.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 4752 6058ce6c1477c1d907a1f92788c0a020N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4752 wrote to memory of 4104 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 88 PID 4752 wrote to memory of 4104 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 88 PID 4752 wrote to memory of 4104 4752 6058ce6c1477c1d907a1f92788c0a020N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6058ce6c1477c1d907a1f92788c0a020N.exe"C:\Users\Admin\AppData\Local\Temp\6058ce6c1477c1d907a1f92788c0a020N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\UserDotAV\devbodsys.exeC:\UserDotAV\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b5994e96ad10209fea65ba41e91c8832
SHA1738804faf78d51f659108ed3f95e89783a4f1905
SHA256e74869080873c30ed415b99855916efae7d1c3e243b78e1b96b50817585bdf13
SHA51202a58909008f7a2fd6e8224c98b3e070f28894ad409e1442dc772a2483c723c20a5b92b60b99300a88a5ec06dad4fc5f052ca1769ae2ffa7cc7ef97e619f5cbe
-
Filesize
4.1MB
MD5a1100419e9cac4c554062da9ba70d3f9
SHA1fe43e0507af00b8f7437731f8c9974c9bba7b447
SHA25674a0f1160485298e0538aaf0cfb3b94c0c543c45f86865eca9b11a9e9d193a06
SHA5127c4d7a0114a3470be5cbf33ed33d4bf4baefb8626ee14edc089ed207b64ece621d0bf7a6ba84a6ebd33686765f119cca70217b46cf5c846daef6270d550e1de7
-
Filesize
204B
MD53d6db926dd6e0a94b0078365dbadbf09
SHA14e64ce647cadbe2adccdf8dba6bbd5d89ea0c34b
SHA256ad4bfdf72265c7c50a46b5a172c2d07c99ceb5027df2a9037e436820ba58a808
SHA512eb1662382eb7ea5116f303e9426b23ac716ea0019c8f744fc1ef09084dda03d78347b75d5306113f9fb9d991aecc796e614bfe539a1625a31e449a93975f5df8