Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10VirusSign....f3.exe
windows7-x64
10VirusSign....f3.exe
windows10-2004-x64
10VirusSign....ff.exe
windows7-x64
7VirusSign....ff.exe
windows10-2004-x64
7VirusSign....2d.exe
windows7-x64
1VirusSign....2d.exe
windows10-2004-x64
1VirusSign....31.exe
windows7-x64
VirusSign....31.exe
windows10-2004-x64
VirusSign....67.exe
windows7-x64
1VirusSign....67.exe
windows10-2004-x64
10VirusSign....f9.exe
windows7-x64
10VirusSign....f9.exe
windows10-2004-x64
10VirusSign....76.exe
windows7-x64
10VirusSign....76.exe
windows10-2004-x64
10VirusSign....45.exe
windows7-x64
1VirusSign....45.exe
windows10-2004-x64
1VirusSign....3a.exe
windows7-x64
10VirusSign....3a.exe
windows10-2004-x64
10VirusSign....2b.exe
windows7-x64
7VirusSign....2b.exe
windows10-2004-x64
7VirusSign....74.exe
windows7-x64
1VirusSign....74.exe
windows10-2004-x64
1VirusSign....9e.exe
windows7-x64
7VirusSign....9e.exe
windows10-2004-x64
7VirusSign....22.exe
windows7-x64
7VirusSign....22.exe
windows10-2004-x64
7VirusSign....ef.exe
windows7-x64
7VirusSign....ef.exe
windows10-2004-x64
7VirusSign....f3.exe
windows7-x64
3VirusSign....f3.exe
windows10-2004-x64
3VirusSign....d8.exe
windows7-x64
1VirusSign....d8.exe
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
VirusSign.2024.02.08/036062de97522e2c40b04d1c1c0d5bf3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusSign.2024.02.08/036062de97522e2c40b04d1c1c0d5bf3.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral3
Sample
VirusSign.2024.02.08/0366d8bc8e9bd5e64e301190356e79ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
VirusSign.2024.02.08/0366d8bc8e9bd5e64e301190356e79ff.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral5
Sample
VirusSign.2024.02.08/0372bdc19184e4dd7461170dfb052a2d.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
VirusSign.2024.02.08/0372bdc19184e4dd7461170dfb052a2d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
VirusSign.2024.02.08/038db7a1bc9f32408eb32a8b02b5cf31.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
VirusSign.2024.02.08/038db7a1bc9f32408eb32a8b02b5cf31.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
VirusSign.2024.02.08/0399febb08bcbf43227bad19576af767.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
VirusSign.2024.02.08/0399febb08bcbf43227bad19576af767.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral11
Sample
VirusSign.2024.02.08/03a3a464ef2a1fbe54b35a8effbf54f9.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
VirusSign.2024.02.08/03a3a464ef2a1fbe54b35a8effbf54f9.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
VirusSign.2024.02.08/03a4ed0cb8c9721fc1369cc5f381fd76.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
VirusSign.2024.02.08/03a4ed0cb8c9721fc1369cc5f381fd76.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
VirusSign.2024.02.08/03af51abe00f3c6154bc829f07f83945.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
VirusSign.2024.02.08/03af51abe00f3c6154bc829f07f83945.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
VirusSign.2024.02.08/03b6a8e2d209f10cce366b73bec0283a.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
VirusSign.2024.02.08/03b6a8e2d209f10cce366b73bec0283a.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
VirusSign.2024.02.08/03e3a2fc4bf137d68962d35b23186a74.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
VirusSign.2024.02.08/03e3a2fc4bf137d68962d35b23186a74.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
VirusSign.2024.02.08/03e8dd811ff56c2ef65a494a29601f9e.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
VirusSign.2024.02.08/03e8dd811ff56c2ef65a494a29601f9e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
VirusSign.2024.02.08/03eec9b444ff21a20e84fa8592478c22.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
VirusSign.2024.02.08/03eec9b444ff21a20e84fa8592478c22.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
VirusSign.2024.02.08/04048340f3e175baa6bd71fcc12851ef.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
VirusSign.2024.02.08/04048340f3e175baa6bd71fcc12851ef.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral29
Sample
VirusSign.2024.02.08/0409c5c4922e4b79e2017df62f632cf3.exe
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
VirusSign.2024.02.08/0409c5c4922e4b79e2017df62f632cf3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
VirusSign.2024.02.08/040dcef90aa17a406b8de190fd3330d8.exe
Resource
win7-20240215-en
Behavioral task
behavioral32
Sample
VirusSign.2024.02.08/040dcef90aa17a406b8de190fd3330d8.exe
Resource
win10v2004-20231215-en
General
-
Target
VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe
-
Size
4.0MB
-
MD5
03ba9978296204d2048fb184e546932b
-
SHA1
63fc0f70834a1868681c1ac8bf9dca778221816c
-
SHA256
0af366e7b4fa57f57a14aec07cd5c2991809e96b3d240c9440c1c6e59576a16e
-
SHA512
4f6c5cb0048ae1d3a8b39c7dcd2fb3901402dac55309efe453b69b7ded5efa8085f27144e766eeddb1c9d38a857dfa7b2bf1cbd6fc52d65348dd76bb3cab3ed4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpabVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 03ba9978296204d2048fb184e546932b.exe -
Executes dropped EXE 2 IoCs
pid Process 3800 sysdevbod.exe 1988 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSN\\abodsys.exe" 03ba9978296204d2048fb184e546932b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMY\\boddevec.exe" 03ba9978296204d2048fb184e546932b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 03ba9978296204d2048fb184e546932b.exe 5060 03ba9978296204d2048fb184e546932b.exe 5060 03ba9978296204d2048fb184e546932b.exe 5060 03ba9978296204d2048fb184e546932b.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe 3800 sysdevbod.exe 3800 sysdevbod.exe 1988 abodsys.exe 1988 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5060 wrote to memory of 3800 5060 03ba9978296204d2048fb184e546932b.exe 87 PID 5060 wrote to memory of 3800 5060 03ba9978296204d2048fb184e546932b.exe 87 PID 5060 wrote to memory of 3800 5060 03ba9978296204d2048fb184e546932b.exe 87 PID 5060 wrote to memory of 1988 5060 03ba9978296204d2048fb184e546932b.exe 88 PID 5060 wrote to memory of 1988 5060 03ba9978296204d2048fb184e546932b.exe 88 PID 5060 wrote to memory of 1988 5060 03ba9978296204d2048fb184e546932b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3800
-
-
C:\FilesSN\abodsys.exeC:\FilesSN\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5fe6636e840f1a74542686b01eeaa8bba
SHA1a83219ef9e15efd01d50ec03da0259dd2d82d991
SHA2568166b39a8758948a10c1549ee808645175bf0a5014239b66035e3f0e56f00bf6
SHA512341c67f0a4d6df74d0b65f9e83d79b8f98127f4333f671dd0a57afeb9db8028cac7639037eb3c0c29129f344d1e30bcbae888451eb7ce842cdea219d50884e45
-
Filesize
202B
MD5edebbd06f8cb83e285354fb731486e10
SHA1dc0d58f661da5dfef47cdd309296ac36397a9271
SHA2562cfa51f9e07f20ca9f152bff1f391d5f30f5a16bb99b8760e7362d76e2d729b9
SHA51237decbc4dc275aca9995be11021795d967e4f5a297e4bb9d328c2f461e3c13383f6b8a3b4ebc97493cbbb937067c0c7603f1e6a767b3bfea99343c210852a8f3
-
Filesize
170B
MD59ee34dd2aee21fe55b8b2dca2f7df6f5
SHA1713e57a426664ddd381749ad6bc7fa6d7c265144
SHA2564314a092cb270fb149bed4bf189aec894e06e9c93451c1dbe0917f5cb2d4eed8
SHA5127d6cbb4dd013aaf1b9442989a12a906466519ce8342ec23c03da4ff1da4ad7be781a63133dd4189868cf3f9ee92ac858ac4e64336d88d68b37aced8069d3c8ba
-
Filesize
4.0MB
MD5624da640aa949bf56c96bee7fa3821c8
SHA1ba8266c066f13c03042620846f932ceeaea77c55
SHA25678b5181b21dd16a55db275b6590a8c811a94c3c8c054519bac6630855ffda413
SHA512bbc69221192b2fd6c9aac22ede02428f9715e8ec349888b50deb9e679d0d29db35f512d4f10ee65ab1dbe5adc334e894e1eddd4b812663e12a29ce20d21028c0
-
Filesize
4.0MB
MD508d5ca5d2f4a4e5d1d80e82f56fdf104
SHA1e780a75d9581f3fcf61491fc39813a07f8286ed9
SHA25693c508e64bc9d8f8e4c9b279ada6ed643e7338e8f698781678dc47746c13c43f
SHA512ccc43488cbd4e8fb6870c502c05da2065c7cb4a69b402449d4e8155d45872b2a7d43874043edea05a9908fef1a1e0035839000e60bcfb2e42eddaacd02be896d
-
Filesize
4.0MB
MD5c62be9c26e58e88cd59cab1ef8874685
SHA17761e33ccad863281d21ea4f3b4957a0be445a9e
SHA2565db061815aa278b19d0d4e5e73f34e3c4e374fce4c1df8d40b413707bd22f67c
SHA5128320144b2f3c699c9527d627a4c035607e28b8d273432ac1ff68baa9d4da2d25d79ba3643e6644c3c88834143516979ab3bc77ad7d302785439fb9063848dfca