Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 02:18
Behavioral task
behavioral1
Sample
DevManager/173ɫ.url
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
DevManager/173ɫ.url
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
DevManager/DevManager.exe
Resource
win7-20241010-en
windows7-x64
General
-
Target
DevManager/DevManager.exe
-
Size
494KB
-
MD5
0109a891c39acb8c0c5285d8e67ccd7e
-
SHA1
cb06b1a79aa67752e0c288f04a239bee1811725a
-
SHA256
4c263a080f0b64531ce51df30afe78dac4127195d02fe94ebb768c026eb42d91
-
SHA512
c9fb5db57225c49e4cd639c8b5f56f809675ac57bc1f58b65a79e00af5ca4c2c644b5d3ae0810fdc4da619cb39f4792856ed43c55bf22805bcbfb505c53df18c
-
SSDEEP
12288:LjkArEN249AyE/rbaMct4bO2/xTMp6Ijswghf+gbwlaY0Wgr:AFE//Tct4bOsB06IjsdhfHslB0Wgr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1868 devcon.exe 2872 devcon.exe -
Loads dropped DLL 8 IoCs
pid Process 2156 cmd.exe 1868 devcon.exe 1868 devcon.exe 1868 devcon.exe 2156 cmd.exe 2872 devcon.exe 2872 devcon.exe 2872 devcon.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/memory/2476-30-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-31-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-32-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-35-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-36-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-39-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-42-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-43-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral3/memory/2476-44-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\devcon.exe DevManager.exe File opened for modification C:\Windows\SysWOW64\devcon.exe DevManager.exe -
resource yara_rule behavioral3/memory/2476-0-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-30-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-31-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-32-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-39-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-42-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-43-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral3/memory/2476-44-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DevManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devcon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2476 DevManager.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe 2476 DevManager.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2156 2476 DevManager.exe 30 PID 2476 wrote to memory of 2156 2476 DevManager.exe 30 PID 2476 wrote to memory of 2156 2476 DevManager.exe 30 PID 2476 wrote to memory of 2156 2476 DevManager.exe 30 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 1868 2156 cmd.exe 32 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33 PID 2156 wrote to memory of 2872 2156 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe"C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c call C:\Windows\temp\Device.bat2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\devcon.exedevcon status pci\cc_03003⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\SysWOW64\devcon.exedevcon status pci\ven_10ec3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD5eea1c1e707ccd7525693d338717b6fb3
SHA10a849a8771cd6dd22637e189773bc4127a762aa5
SHA2567bd3a14976fc93fa62172eed61159cc44d2793dd52b30ec33139297f2c987082
SHA5129f611eed5fdedbbf9c36d3ff47be543f4ee15a0041abfbb77715a2515a38635287c002577893cea4141147efbac6ecf754bc8a17b432a8e818a32f29b85062ad
-
Filesize
47B
MD526b5a466dfd69346509ccdb0229eb155
SHA1ea2c8e4e386e9ae4c994cc231136a1ba36d57b1b
SHA2563cdb9785c797707a894da7dbd20ede505a2a6ab6c745be8d714b96038b4fe9ae
SHA5125af205dc7d8389a791185ee968678882c0350179d01773fcd14be1a32717ad8db6de876b6e3361b0c908e5ecea84cd7b861a4d32b60082397eb75819b091a46a
-
Filesize
82B
MD56614d4491dfe01eb293094050c635600
SHA1e0221c442b18673ccacf9558a751905b6b17d845
SHA256dd7a7cbd4f6d26a7782919500923424e062e2aa468d1ea8480981ce8b58dc49c
SHA512ef917299b14647942536b1f27ad27c567a9e8ed7fc136955d07112e5bbb8fdf40491d845c395db3baf730a7ba87da208b665c9c0d47d95ffff56ccf178f56d7a
-
Filesize
145KB
MD560347ff68ccc6e18f49a7179b0f0eb3e
SHA17e0d09107661d3498c2a553c7a92c57aa28129f6
SHA256e21eecee093b890c82a343931dc40436d5eabc7b2c8e26ebd3295b90fd6a514a
SHA5125a970199330a7d0b43f304f587d18c4f73a5679851275a3ed86f09ebb3b4a8eaea7603d0ccf378ae8792cb08e5b795f89ce4942fe3155c794bb2ad22bd40d63a