Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

18a2ac5c4b...a7.exe

windows7-x64

7

18a2ac5c4b...a7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22/04/2024, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe

  • Size

    3.2MB

  • MD5

    6733057c3df40829370247b699a3a581

  • SHA1

    29d1f4bf67043f347e96184dfee97bc4622397a8

  • SHA256

    18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7

  • SHA512

    58fbe8a4da38bf460d702f72e5c4d2602da197c9771ab716b74e893f602335291729d46f4e680dfabfcd372d26b44d12f3d78d6ad0d00ad8ebb547beed1a68a1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
    "C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2340
    • C:\AdobeSU\abodloc.exe
      C:\AdobeSU\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeSU\abodloc.exe
    Filesize

    3.2MB

    MD5

    4b601e9b3ba14784004df01bdc02f16b

    SHA1

    707e87638c8d8790cb8605d404f67a909341d91f

    SHA256

    1475ba563782221116c1b9c6cf37d7d30b0cfca5bb69698a99c7bd1f1b3ff0e8

    SHA512

    eb5c05795224d8a6447d5cd435f92daf4fadf8a93648c0641272751da5c7b0bf353ecfd650ac43bb5c8af4203778da0d426cf2af022b3d11620f82b50ff37711

    Download Submit

  • C:\KaVB2C\optidevsys.exe
    Filesize

    3.2MB

    MD5

    3569ac9e7683fea78a7f47c968a4d85c

    SHA1

    b9aa14debd555729b7434e76631e5f0e8e0d3622

    SHA256

    09982d418b9a96b3172406e0a0079765205a6ac1914a2ffdc94c55eaadc16348

    SHA512

    1438c647e4da1e71931a7b03f36528cc12c16dc289b7656962ee4359b344d65fb0590f3e6a4e24b80fa65081c51f4e0ebc21e994a3ffd620f1ca8f422458fbc3

    Download Submit

  • C:\KaVB2C\optidevsys.exe
    Filesize

    198KB

    MD5

    c12c5765a1f97f400748dc05c5e30947

    SHA1

    bdf8c9606e40543c59b5035c7581c191ce531d07

    SHA256

    30c7743e508d3785e77f3a367976d6401c5da6291c6dbf4f303039a5b44a8d23

    SHA512

    66dbcba71d0e16fe14eadace738f95200421491a22bcdb0321f2ace4ae1fa43d352c29995b69d2a0f794ef8700920bf399683cd6ace70bdebb51dacdf5d0a8a7

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    a5ab352b6a8cd2d832c400fe14f5f860

    SHA1

    b489749a5de861fe405ba79b9ead71493002ac93

    SHA256

    e376af06126f4e610201837747bf699dd4596cc66fc1ab15454f3c1842da4018

    SHA512

    bb450afdab912610e2b41baeb9e3018ffeb3fb3b4ec17a90d7d82b1c6c9ccbb49eeb1ec1eac26940db7261ea14c37e170e291ef8f56aa6c34172dd878032d172

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    43a500c5496c4006293d17f69f04a4c3

    SHA1

    05af026709cfbf0db5f6db5a29bc645fdb2ed510

    SHA256

    5e087974ea7722d844f8d6057417329d4c4c37f39b4745ce5adca833d20144d0

    SHA512

    ffbf8adf3788dbd1fadf80d89d1ce03364887c673173a63effc5a5593e76780d4c4d79f9a682d2b6407600a308302452cd2b1d082c9d01ee94502bdcdb11c6dd

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
    Filesize

    3.2MB

    MD5

    764b94de7130c65ee2abe37d6a40e6ec

    SHA1

    ce0d2fdee5136fb5549b4fd6cc31a2b2b23ad228

    SHA256

    8591737e8db3d4fb8110692a3c99fef8ee9240ec468ff489c4c888d241d7379e

    SHA512

    c62638189babd9f01f65e76d76848fe462633cc073e0458a6375c32773ebb5a8e731d62802446b08959c7e11f7b81ba80310e0aa286c3be7b05b4a409feb1bae

    Download Submit