Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe
Resource
win10v2004-20240802-en
General
-
Target
06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe
-
Size
2.7MB
-
MD5
ae4f41f528127db20287c06d8e6d2110
-
SHA1
93760a009932117fcfba6ea8d24737b7a84c4bc3
-
SHA256
06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a
-
SHA512
11109850992de51496d92f7dc824605fd19941c3129f4e8d46a17f870720ca5423425eb48689c02418fa4277fda82ea4e1d9a4a7d64e9c97735a5794ad8a7250
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpg4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1164 devoptiec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintER\\bodasys.exe" 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvS3\\devoptiec.exe" 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 1164 devoptiec.exe 1164 devoptiec.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3728 wrote to memory of 1164 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 88 PID 3728 wrote to memory of 1164 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 88 PID 3728 wrote to memory of 1164 3728 06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe"C:\Users\Admin\AppData\Local\Temp\06dc2ddabdae4c677584a0eaf66d170f72ca1602dfd848c7cad1c9b49b26ea0a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\SysDrvS3\devoptiec.exeC:\SysDrvS3\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53d53883b80eb86095a7f793bd4a1d06d
SHA127e81162fab832ac98c4ec1a520f27fb3472cd43
SHA25607b7af1a43b3e02b3c948dfd70e07a09729b72694a024e727caf54f23e32dc69
SHA512861a35c12bff65dd3376900612bde5b7b31fe0f92e5ae58b58f3407f201b284f9584f53a131aabffb6df091809e519e44cbf21c4108f9e67de05c54979036ff0
-
Filesize
2.7MB
MD5810b5611be65bd3476b20296dffa8418
SHA195656c67febada065dc2dbf625328701c20958d4
SHA25648bffa07869902e7dd7250bd3cbcf21c66a36941317b27eede1998b4a98375da
SHA512a961c1ab980c9f725b9acab165721516333c937a3263a3f2b96463b7bdbe09aa168f990070f63beb10b51cb01236f46bd2fff2bcdd73847eda7716445b391041
-
Filesize
204B
MD5e5afdf7d2a393ad834b843bbfe8782b4
SHA17a3c16db3c018de90c8f3dbff7324c51d357ee98
SHA25643e0390e2f6c9dd1da8fb3b0d2fd1fac607670092ba9d0fc55cf63d4976550fa
SHA51201291f8e7ab40b33a75a0810b1d9f641273abb38daef15f27552d22a81863d5c19be8affec74968480b99b7f9af9a74f639c7f4148bd77e274c91b457094e95f