Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
35e70875e812ac8383c01c66741805e0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
35e70875e812ac8383c01c66741805e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
35e70875e812ac8383c01c66741805e0N.exe
-
Size
2.7MB
-
MD5
35e70875e812ac8383c01c66741805e0
-
SHA1
a2ef611c57ce7e7ac29dc652d01225cf69734033
-
SHA256
f853651eef774acb0e4ad3104cc1aedd2630c1b17388cd0496b5f97831d0fd9b
-
SHA512
606904076e4d70f26f2d24819575083857fd2ab6998a2a90eb2564afd700998d03e0d0a6afad116ead63f702599ff3ab876bbeee730125cd1d27e13a118a4711
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4728 xbodsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4V\\boddevec.exe" 35e70875e812ac8383c01c66741805e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRH\\xbodsys.exe" 35e70875e812ac8383c01c66741805e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35e70875e812ac8383c01c66741805e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 4728 xbodsys.exe 4728 xbodsys.exe 3376 35e70875e812ac8383c01c66741805e0N.exe 3376 35e70875e812ac8383c01c66741805e0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4728 3376 35e70875e812ac8383c01c66741805e0N.exe 88 PID 3376 wrote to memory of 4728 3376 35e70875e812ac8383c01c66741805e0N.exe 88 PID 3376 wrote to memory of 4728 3376 35e70875e812ac8383c01c66741805e0N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\IntelprocRH\xbodsys.exeC:\IntelprocRH\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD55fbd065240e0e1e082358a34c4b24fe2
SHA12f424f019c23a4ea9e1428363ef7be5fd060658f
SHA2568113e793b24829f6772042c9daecfde979bb6ca4d1f787c888a500a2b6b7537f
SHA512b57ad76f5ef575e535ee61d8358f318db331495e1ba9ecd7fdb1403ce9f378cdeb12774edaf4912992315553f301d377e535a3468880c7479dd5ef50f28fccc0
-
Filesize
8KB
MD518f9e5889b79178d8757b18c8d1b67d3
SHA1e70ee94d53ceba1eacdea91d5af71a2203f08ea9
SHA256187f66f9d8a67e69a32c5d0631666f1a7594d1207f37d94d421023d225ed6c14
SHA512b64bd79cae188097cc91a99887efef58804ba8948745a6bba8e365bf023d7c107be2433b4b8f12720994b00e45c51902ddb1a9042db65adc85c64fea360b76f2
-
Filesize
205B
MD5760996b8658a714215bdc00cab1fa354
SHA159108c59a5e49de3f0f8ee15746a5ee45af6a767
SHA2569efd876f56412ca7d33963eee6a514c0cc60d5c845e39850d1173fe2ea28bc20
SHA512359a14fd1cf497f14a09abb9e5a596a6e741e1a821a1cad1d74f6efd4658d231b6428076ea538a90b82da5901f24894074ea499897d711b5c87b53b7e7f0561b