Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
c4361213756737fdc082e4de26199740N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c4361213756737fdc082e4de26199740N.exe
Resource
win10v2004-20240802-en
General
-
Target
c4361213756737fdc082e4de26199740N.exe
-
Size
2.7MB
-
MD5
c4361213756737fdc082e4de26199740
-
SHA1
d5a79ae774b716dd8c62081233459ca1a88329b7
-
SHA256
ff078ae2ca23c8447695c0d1ebbf2f51da99eb60c132fee5d001653bfd26c6fc
-
SHA512
6e7dbf3680a9096638dc1ab605de8fb58937c8a38da8401f52d2981f65c69f733ffef3387c971d174438806b2299674634fe409bcf8e0f774b9aa3012242679d
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpJ4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2812 adobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2652 c4361213756737fdc082e4de26199740N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0D\\adobsys.exe" c4361213756737fdc082e4de26199740N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJN\\bodxloc.exe" c4361213756737fdc082e4de26199740N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4361213756737fdc082e4de26199740N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 c4361213756737fdc082e4de26199740N.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe 2812 adobsys.exe 2652 c4361213756737fdc082e4de26199740N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2812 2652 c4361213756737fdc082e4de26199740N.exe 30 PID 2652 wrote to memory of 2812 2652 c4361213756737fdc082e4de26199740N.exe 30 PID 2652 wrote to memory of 2812 2652 c4361213756737fdc082e4de26199740N.exe 30 PID 2652 wrote to memory of 2812 2652 c4361213756737fdc082e4de26199740N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4361213756737fdc082e4de26199740N.exe"C:\Users\Admin\AppData\Local\Temp\c4361213756737fdc082e4de26199740N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Adobe0D\adobsys.exeC:\Adobe0D\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f557d075962ccacdb412e45a95e4c21a
SHA1d3fdc55191473c25860b52f56c83699b7b43f591
SHA2568d2a6f0994204e7a6e31daa36cdeba70d297c41a1bc615502607e9997ae1c775
SHA512753bb6150d6bb176258e3bb3f553f627a5c313e57e937083700275150a0ce9567da1fd3e039d8979811276f3db2481bbe9f6a7430940e12e81764034ed2f9906
-
Filesize
202B
MD5098749b08f6916887ab809ab1ea6b8c5
SHA117a2c9e72ceb6c7c1f1bc29413b6b8be0f3ae78c
SHA256e92c74b4c02de4b4eb3fb12174b0ab7715679c673f99a0e296f457870d434cd1
SHA512280abbee4c071ff1ef7bdb4325d846f2e349019a8e485ce697c955202a5916b9418cbde8c19c7a3851c76d191e54dee89e1c2dbc95887bf70867907924b6b996
-
Filesize
2.7MB
MD536a483fdeb8130f4a4950a049e158ce7
SHA1c70e4f1f80760f16d17a16b7b2c16957c63e111c
SHA256b4018f332624b31c9d6482888ccd1fcc4504df5fc6b281355d283f72e7ec964b
SHA512a69dc48c3a16d65166bd6373cf296b485310cfcdf6def69797eaf50479ea023e98b9a93d1d6978aaacf5d8b8ea771d66d6659bf8a1f2214e4679e8b8f7b74a85