Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Resource
win10v2004-20240412-en
General
-
Target
9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
-
Size
2.6MB
-
MD5
154103da74afa24dc7e5f11cb36ad409
-
SHA1
650301da740464fec9cd7904c1e4d9c54be5b472
-
SHA256
9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c
-
SHA512
945fe0877cfa90ad9a745911d195c35eb86269ee556af5dccfdf30bdfdc41f53f435761d0c013f8c47ae5935dc66cd309870a33cb313124c9379c79aad98b570
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe -
Executes dropped EXE 2 IoCs
pid Process 2940 locdevdob.exe 2596 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK5\\adobec.exe" 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOA\\boddevsys.exe" 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe 2940 locdevdob.exe 2596 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2940 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 28 PID 2000 wrote to memory of 2940 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 28 PID 2000 wrote to memory of 2940 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 28 PID 2000 wrote to memory of 2940 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 28 PID 2000 wrote to memory of 2596 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 29 PID 2000 wrote to memory of 2596 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 29 PID 2000 wrote to memory of 2596 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 29 PID 2000 wrote to memory of 2596 2000 9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe"C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\SysDrvK5\adobec.exeC:\SysDrvK5\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5146146477139845d745788838537f95a
SHA16eb4929fcb97d7205a12b5a432aa1fa49e9682e4
SHA2569531bfa536c0747442a2a66d523a66e74e1eb86938c5fbd2547a074c0f37357d
SHA5121aec5ee3361b623ce6b110bb221484059441eaecc35fc3e59b52ae5e9c32bbebac169741f38c507e7ebff3d5cc3fa93c3bb6852cc518687f17619722b67003a1
-
Filesize
2.6MB
MD5b8cf1449f7eba6c6564b3c697a2e9dd6
SHA1edcbb592c898dcf39fb16ac19fbe994009a904e4
SHA256d5c2516db0587f67637490f44fe43a1934e67db160357309fabe850c2587d0c6
SHA512539e19018fae95276e6e78220ca8b6f0b3af1c862880d6777a73465a98cfb041a6f59e5ca0a85deff9649e87809df04f816648b72a9cf98095ca39ea696bd4ba
-
Filesize
172B
MD559280e1a2a24e8115c1826f51a291608
SHA1638b68e36d31cd3e13c10a7133ba2cf7c8fff88d
SHA2566638efccf7619a19aaaaca4427451c84ae1fb445c4ca9019610f8301a85633b6
SHA512d060531bec20ab7dc8734b60a29077049430b73610963a504f159a8e292f7c130b30c7b711c13bbd86c8df0706cab7e62a9cea313a01700f077bcc529bffb85b
-
Filesize
204B
MD556ba1012bea7f697226851f0e5d1e957
SHA15a70e746b56f33018ab7f607e830125a3e53e685
SHA2566e42670eaadf2d0b0453c9a12405afed9626178be686d752fd9115af3d11ab72
SHA512ef7478bd738447d6f37ad1ebfda69f01892b7cb8d5e106f8d795b3e97f58efd8fbcaf4e32e6ba74d35b3c316d5c39d70661804484209c546bbd111167b1584ed
-
Filesize
2.6MB
MD5cb6898ad57d33ee7cc9c5d1dff3ee645
SHA1d8524096d242408f13aeff80f16854f60084754e
SHA256c39fc5827176d8f63600ddebbfb4e5fc7110143a27ff9efe2a284d270ffe72fd
SHA512e7dce711841ae6e177314e46c9bd2d9e573268aba94baaff5526eb0625c1d99275cba0914fdfec944287a9edf3ddffdb9f564c0129fdde8a9c4500653577027d