Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 23:57
Static task
static1
Behavioral task
behavioral1
Sample
91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe
Resource
win10v2004-20240802-en
General
-
Target
91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe
-
Size
2.7MB
-
MD5
61c61c69d7d9d00b26b15fc2021b0139
-
SHA1
e7a4f6532926cae92cd01d1d7da27c6e9c9420ba
-
SHA256
91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c
-
SHA512
0ea560630f949603855b1d88c83fb039f4f4b0e5984f1eda728d87f83110e803fdb594c228258da4d82f46979e0a10e481da09ab70fd35954054e22ed310e57e
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpe4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2080 devdobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJA\\devdobsys.exe" 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7G\\dobdevsys.exe" 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 2080 devdobsys.exe 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 752 wrote to memory of 2080 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 30 PID 752 wrote to memory of 2080 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 30 PID 752 wrote to memory of 2080 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 30 PID 752 wrote to memory of 2080 752 91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe"C:\Users\Admin\AppData\Local\Temp\91bc4695e45265b9481b4e3e59891277d1f729bad890b564e42ef200880ec70c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\FilesJA\devdobsys.exeC:\FilesJA\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5bc7f9f65bdf9d43eda0a71af40d555be
SHA1ba767502f08d70c984d242dda7af1142ffa739b7
SHA256e2af7b55011eef022c54dd59a5d5e3e017c90de5cf63a1cf8ff14fdc02cb022c
SHA512204c3f747a21c850f3afe68f9a96e8cb4657e005941a4589334825f75fcb4a068c79dc56fce2bcda8acb7dc2729add605df8bcfe7df7f0d0065390e7d96095f2
-
Filesize
2.7MB
MD5f13c19564e0dc50d8f21abb1936cde5d
SHA17591c8dfbd30b437b1fad1d0c52f772662954ac4
SHA256176aa369caa8c104f0dc6b5493b04cf19a332a61097617513b85badb9c8a5746
SHA512163be2542f5d7e0b6a08a3c2d67908f0d4bd1339d9ae4a034c7903f114b9266c1b98e0d127ceb585e7b14c9a6913de4bd0303fdfc76d9c28762db328c41a0c92
-
Filesize
205B
MD5aa6f2ede56b626b59ee47162a8adc785
SHA1de719c4f0ff737ab64cbb5e97853209f3c9b7ffd
SHA2567a9b642cefe051d834c673d3d4c62f255725b1013dcbf35d37ac35eed1802f6b
SHA512d803e5a8ec777fac12d43809e9770ee7e4022430e1d26ad60efdbd08c419d4e628e68622e3b7eb87aa95d19aa5b003892a6c91e5d49c9938d882c996bbe0d851
-
Filesize
2.7MB
MD5fbd649a0f6c2b3f86bbc8c035d480a00
SHA1007d42df05759d03dc015ee7a16fb08dc297f83b
SHA256cd2f5f37efc5bd895ceca72752ad7244e7aad740662b2b0420dd5f6c4c83ed62
SHA512f7d991666d8846ce33e5040ac7125899a1fd85d8eb5fac52dd1c3a820f4bb522476a15dce3cb05bb6813ca7eb976347c23636a860f6ef8722937cd75c17e956d