Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

26d1389553...0N.exe

windows7-x64

7

26d1389553...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26d13895532e66adf318a94b972becb0N.exe

  • Size

    2.7MB

  • MD5

    26d13895532e66adf318a94b972becb0

  • SHA1

    fd190ece74b2c2e76bfc49d4679b084827c9818c

  • SHA256

    fd440efe98060b44918fd9c0874a1d2105d2f59864c44c9a22e298fcb571b454

  • SHA512

    01a68678ac3180201e38700ea095124c196eb9e539bd8be07123a050ba69b1696e0c0b572bc475ba0695840ba3bb2300688fb1338db5db4d2e598c31c0ede16f

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpz4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26d13895532e66adf318a94b972becb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\26d13895532e66adf318a94b972becb0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\AdobeJQ\devbodsys.exe
      C:\AdobeJQ\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxVN\optixloc.exe
    Filesize

    2.7MB

    MD5

    5923549fb382af423cf269df43296a88

    SHA1

    b739c5951c63fafa9182f7907df470c385fc0b70

    SHA256

    2353d8c671388abaec6d114044ffa9f1a261dfa78b1674018e0044689001c809

    SHA512

    bc1bd24c773b33b134535649a2e6e85f72865f7751e671252a845b3280050dc3a523ed90478c653866bc821eaaaa0dc770e77c158861cb2a986e320aea7bdf4b

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    205B

    MD5

    a9805458e9f56a5abb2b02f0a713a919

    SHA1

    ae9eac23d9ae47a93ce74fc91a22c8c2d47a8591

    SHA256

    51de7c0b72f8c3968c671b6a00e90c7658d7cd7b044d1fd9068dc2b7630b06ac

    SHA512

    1a19cb35939d2ef5bea5dc3566ce3cb4db84640e3317d788f6a3ca47de84a9ee40bd246ba828af62004b3c2bdc4e1d28dd69d5e0909d4c26f0dc516ef077a77e

    Download Submit

  • \AdobeJQ\devbodsys.exe
    Filesize

    2.7MB

    MD5

    e8ab0be4e0d7e19e2c38778bd320ae0d

    SHA1

    25bc1ebc4814539393a726a0aac2d78cfcc33890

    SHA256

    84949074369060d5c05da4d06ea62540518fd54d9a12823f0f5256bc5253597d

    SHA512

    920680b9e510e7405308615f8eb095e8c9b6dd29312062c4c94b653fc3b4930ed87d6e01a60955e09c41280f944f0a750c9938189075c78d390f0444dd7d5dd5

    Download Submit