Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 02:18
Behavioral task
behavioral1
Sample
DevManager/173ɫ.url
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DevManager/173ɫ.url
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DevManager/DevManager.exe
Resource
win7-20241010-en
General
-
Target
DevManager/DevManager.exe
-
Size
494KB
-
MD5
0109a891c39acb8c0c5285d8e67ccd7e
-
SHA1
cb06b1a79aa67752e0c288f04a239bee1811725a
-
SHA256
4c263a080f0b64531ce51df30afe78dac4127195d02fe94ebb768c026eb42d91
-
SHA512
c9fb5db57225c49e4cd639c8b5f56f809675ac57bc1f58b65a79e00af5ca4c2c644b5d3ae0810fdc4da619cb39f4792856ed43c55bf22805bcbfb505c53df18c
-
SSDEEP
12288:LjkArEN249AyE/rbaMct4bO2/xTMp6Ijswghf+gbwlaY0Wgr:AFE//Tct4bOsB06IjsdhfHslB0Wgr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 952 devcon.exe 3132 devcon.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral4/memory/5076-23-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-24-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-25-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-27-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-29-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-30-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-32-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-33-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-34-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral4/memory/5076-36-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\devcon.exe DevManager.exe File opened for modification C:\Windows\SysWOW64\devcon.exe DevManager.exe -
resource yara_rule behavioral4/memory/5076-0-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-23-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-24-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-25-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-27-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-29-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-30-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-32-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-33-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-34-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral4/memory/5076-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DevManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devcon.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5076 DevManager.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe 5076 DevManager.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3424 5076 DevManager.exe 85 PID 5076 wrote to memory of 3424 5076 DevManager.exe 85 PID 5076 wrote to memory of 3424 5076 DevManager.exe 85 PID 3424 wrote to memory of 952 3424 cmd.exe 87 PID 3424 wrote to memory of 952 3424 cmd.exe 87 PID 3424 wrote to memory of 952 3424 cmd.exe 87 PID 3424 wrote to memory of 3132 3424 cmd.exe 89 PID 3424 wrote to memory of 3132 3424 cmd.exe 89 PID 3424 wrote to memory of 3132 3424 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe"C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c call C:\Windows\temp\Device.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\devcon.exedevcon status PCI\CC_03003⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:952
-
-
C:\Windows\SysWOW64\devcon.exedevcon status PCI\VEN_10EC3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:3132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD560347ff68ccc6e18f49a7179b0f0eb3e
SHA17e0d09107661d3498c2a553c7a92c57aa28129f6
SHA256e21eecee093b890c82a343931dc40436d5eabc7b2c8e26ebd3295b90fd6a514a
SHA5125a970199330a7d0b43f304f587d18c4f73a5679851275a3ed86f09ebb3b4a8eaea7603d0ccf378ae8792cb08e5b795f89ce4942fe3155c794bb2ad22bd40d63a
-
Filesize
158B
MD5ff882d2c9ce3c5ac9a5e070d4404f867
SHA14ec02171be22021d4f05c3179ace48f0787b2b46
SHA25614f8ffd83b422bc5c45897cdb96624115df2bbca68d87904e1790988a1e2b879
SHA51285b21ea12bf572ed5c16c2c1914a41670a427bc4fc07c310afa1ed6b44bd90cbbcd39305519f64313775a9dba3450d8b30d5f8537a53e8efdae480cabe0becd6
-
Filesize
47B
MD5c87bbee982e66caa23c93bbe1a5aa44d
SHA1d85278a9cb4c5bb7734e19e1d7e61ba1088b4bb0
SHA256014f43154531de91419a602883419ceab568355282b4a51c26b9a6eafa839e54
SHA512f146cae4842f1b3371fd4473ac5cf1227a18563704b72ab28fc4240e19b7ee808f9e2458ae7ef3b74716781d8621eefcbc7383884c2c08a3ab5ba8d74928cd03
-
Filesize
82B
MD5a528f867d6e9190007b2dc4b8d766400
SHA1b8a0f6e746f130b973fcfa6025d236313a673ef0
SHA256738d86e64213fae8b02ba3b0d37de5ea2bf56e1a3ec5f9804cc22d1624fc68c0
SHA5125bb7d83970b157d1c914e4e81d9fff03e5eece158b6c3557957ba11d3613308b982ed03da5ae12c6d618d83726776c65ff8d8e7ef0c9dee63a0759fcd8432756