Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 04:18
Static task
static1
Behavioral task
behavioral1
Sample
dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Resource
win10v2004-20240412-en
General
-
Target
dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
-
Size
3.2MB
-
MD5
8213a9258de910ac54e809856cf29c3e
-
SHA1
49b0e82b0c44929666852484033c2d3f08db4095
-
SHA256
dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa
-
SHA512
3d2a8a344fb56ad9f66f4918723ba54f402085410c4dfa553ccf353010d4e166c582084fdec74cd3321c21874825925b5c80320361bde3f3362888a8cd0f2e35
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe -
Executes dropped EXE 2 IoCs
pid Process 5008 sysxbod.exe 3112 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPA\\xoptisys.exe" dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFN\\boddevec.exe" dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe 5008 sysxbod.exe 5008 sysxbod.exe 3112 xoptisys.exe 3112 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3004 wrote to memory of 5008 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 89 PID 3004 wrote to memory of 5008 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 89 PID 3004 wrote to memory of 5008 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 89 PID 3004 wrote to memory of 3112 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 90 PID 3004 wrote to memory of 3112 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 90 PID 3004 wrote to memory of 3112 3004 dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe"C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\IntelprocPA\xoptisys.exeC:\IntelprocPA\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5953020cc9463346a7e98aebde3b807e5
SHA17ea851a8794022a7ac43fabef2141108bad82346
SHA2560c3d632672cbae06fcc5812011147c3fe2eb448ff354821fcb6ae524cb93a012
SHA512ffb698167c76fd1a25422024c09f86d65a241b092318c205e200e565dbc9ef6cf9b16ec650819ce943be8ae9382b2506f83ae9fcc350dc7cbb87bcc1dbf192b7
-
Filesize
4KB
MD5b61f1c7ad73efe910c92dd7a7c9a7a0e
SHA1da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd
SHA256b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0
SHA512224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155
-
Filesize
3.2MB
MD5eb796be35930db00d265ad06675bdb2a
SHA1b21d607d6e8aa4c9707917b3a77424ca46cc0e62
SHA256827d1948a11495b78b972f66175b08217e4b4961e131e9ea98cfe57b884d7d7a
SHA51286484b7e65cf421be80d7182e630fdc7024d70ac17915ae01680b462aafdba91c4619fc5dc9efdc48fd97fa8c3d25df9a4036ee3dc5e3d0383a3859742f32501
-
Filesize
206B
MD53337ec598e6cbc6312f61bfa8a66281e
SHA193dfbc1f9b624242d7bb0ee090217d4c71279971
SHA2561109a53c85ed620fd884e8fd445b59a184d71b6d037a5e2d22b03c6c3912f887
SHA512bf0545cc6e534dd9e472ba9b17fb7c7c22e5b3544b6809857d3f200c3b8fa2bd13646200a0d9dfbd86b434e1436fecf7c92ac8b7779a14146c1b4068e165d960
-
Filesize
174B
MD5f4b7adb303ed185cc0c307e7e3b2adb7
SHA1d953076b2d04f4b0f2535c33d741f1e645cc346c
SHA256141db3f72a42bc509b45f69e59958f88bff1db0007532e2cc24f382594847588
SHA512a3c5444d0a1a1e047943c9c8c24682dce4b9cd971e2b229b7028c903c25bcc495e069e30ffd59be4b8382227af5921edc974a1dce2f346bc057f0c558938eee7
-
Filesize
3.2MB
MD53964de7d80cbd1ff0492f3b2915afa7e
SHA1a4faea0a60a96946887904e426e7089bdb963b81
SHA256802ac0f13f9647f9e8b81260e7600cd758d2852f595d1a1b35125da668f0ba75
SHA512576948e693a127776cc9bcf0217f72bebc3b1e68177567615dfe11839a2ad587260108d3f0f90e730fe8c5f0afaa4fca7cdf6063b352db22135a9e2291fe7bb7