Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 16:41

General

  • Target

    NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

  • Size

    4.0MB

  • MD5

    1efc0e1d03c7c7c3783aa5d49679a810

  • SHA1

    2288313b7c092a0561cd788b64fd6a7c12a38288

  • SHA256

    c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d

  • SHA512

    39d75ec31cdf87ce402e72ee057cc5dba36f0a2a1e080063c67886f4a423e14c5f3dd8d3d5e32c1b476a60a4a3360cca74343de49577ce75064653499ac19526

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2940
    • C:\IntelprocO2\xdobsys.exe
      C:\IntelprocO2\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxN8\dobxec.exe

    Filesize

    4.0MB

    MD5

    b05b5613e612322a465fabd2adf4af99

    SHA1

    15c049d3c063d61a3745c114325184662185ac5b

    SHA256

    9eef1fdd39e5b54081a5a30316bcbbe42be7fb7ce7d598d17064b97098eae34c

    SHA512

    33e5b640d59e3e55d6ab316527bdda2f0b788578ea5b3c0c77146d672a822bc5070018be9529693608e6c87010f3835ff3fe7003068c8e21ee6fa9449620e3c4

  • C:\GalaxN8\dobxec.exe

    Filesize

    498KB

    MD5

    f9ecd1aa2003d67c0272a65171a3579f

    SHA1

    7635feb779ba1987b8051131ea132653cfd57fd6

    SHA256

    abc8e1267b5536aeec00e1536e6e8a430ad9a918d0750d6226b982eda7d3ffbd

    SHA512

    d9dfaec5463111650eff8cc25bf3b4371b6d34126c52e8a71eb770e789ad202fef179c34a659a018f7e8eba935f2a346f69ebd5e92544590fd56c904cf7ea975

  • C:\IntelprocO2\xdobsys.exe

    Filesize

    4.0MB

    MD5

    2be1d511a549dc5af2e3808927855d02

    SHA1

    34489ea24457fea68846809643f1f328d7bfe938

    SHA256

    673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

    SHA512

    ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

  • C:\IntelprocO2\xdobsys.exe

    Filesize

    4.0MB

    MD5

    2be1d511a549dc5af2e3808927855d02

    SHA1

    34489ea24457fea68846809643f1f328d7bfe938

    SHA256

    673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

    SHA512

    ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

  • C:\IntelprocO2\xdobsys.exe

    Filesize

    4.0MB

    MD5

    2be1d511a549dc5af2e3808927855d02

    SHA1

    34489ea24457fea68846809643f1f328d7bfe938

    SHA256

    673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

    SHA512

    ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    5ac1a10b8afee9424d364666cba8184e

    SHA1

    9fdc0313c3b3264382a402820c33f6f13811e48e

    SHA256

    bc898892e54b7a47d6583bc9f494d5ec63a4ac851fa6ddde5d69e7889b487bf9

    SHA512

    2a7cc6e0482c4ba0407b41a1451d0f8f7581145c3443c7e9f48a18aa8ec5bd5544d0b8b0bdfb87a977e2f0be0d21b1c08a27f8ad1a8e9f56f3d47e73877a4293

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    bd33eaad905f832d758379c8bab82667

    SHA1

    621653e41ddbb3f4249477fbb58b90f3360c93d6

    SHA256

    1fcaf3ebe3e79b438b5afaffbd235873aa1ea793d31cd6b7817669c91874c010

    SHA512

    9180cc4c42e15367d9604e5cb5ecd4dc3263e64fac36143e01037942fe69678f78ef7de2feb6a83979bc31df876cf572720636fff6a33b85d84e5f71c3e077d4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    4.0MB

    MD5

    afac8c0bc6fcd0488bd74fb9687e6c69

    SHA1

    511d22e8077cfadd8faafa56f00f1dcfd8c91939

    SHA256

    47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

    SHA512

    9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    4.0MB

    MD5

    afac8c0bc6fcd0488bd74fb9687e6c69

    SHA1

    511d22e8077cfadd8faafa56f00f1dcfd8c91939

    SHA256

    47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

    SHA512

    9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    4.0MB

    MD5

    afac8c0bc6fcd0488bd74fb9687e6c69

    SHA1

    511d22e8077cfadd8faafa56f00f1dcfd8c91939

    SHA256

    47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

    SHA512

    9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

  • \IntelprocO2\xdobsys.exe

    Filesize

    4.0MB

    MD5

    2be1d511a549dc5af2e3808927855d02

    SHA1

    34489ea24457fea68846809643f1f328d7bfe938

    SHA256

    673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

    SHA512

    ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    4.0MB

    MD5

    afac8c0bc6fcd0488bd74fb9687e6c69

    SHA1

    511d22e8077cfadd8faafa56f00f1dcfd8c91939

    SHA256

    47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

    SHA512

    9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97