Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

03a60069bf...6a.exe

windows7-x64

7

03a60069bf...6a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe

  • Size

    2.6MB

  • MD5

    9c7ed5f2aa325792de47e4ec60234fd6

  • SHA1

    6fe579101b08e5a061b32c9ef223cc6ea3f2e6b3

  • SHA256

    03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a

  • SHA512

    ff2736404e35f30f09a4990fcb03c33bb99e8970f52766166c6122587cce5628332f4f0b67117745ec9f30025893172a1b45d1f54d109a0f1927b7076ad08b1f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUp9b

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
    "C:\Users\Admin\AppData\Local\Temp\03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3400
    • C:\FilesPU\devdobsys.exe
      C:\FilesPU\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesPU\devdobsys.exe
    Filesize

    802KB

    MD5

    4ad4f22cbe33dd6a5cdffd42f906ae74

    SHA1

    75b1985f04b1cd092e435910457994de20be9056

    SHA256

    a1a36cdb106aec2f03b50a3be7fa8f15636719cf2db8be7203ede5da5bcd8910

    SHA512

    874bf7488968ecb662a27d9a89c82c28faa5a19e080bdbbe5ac6142a207167d3fbf439d7ff38335647ea81432f7d7f4bf4a5b0ee9ac2abca1c957b950f3410d2

    Download Submit

  • C:\FilesPU\devdobsys.exe
    Filesize

    2.6MB

    MD5

    f02b07133e49342bb224a08e5bcae381

    SHA1

    e2ba2388766ab50c86015a578a0f285a8b914793

    SHA256

    f23a7ba4761fafc738f815f167944ffdb32a447c5d6a7489ebe608f789e672a6

    SHA512

    6a93a194055cb341a39bbfafbd5de1d70ce41ef0c455518e2cdb66e18476d918c02f8ed0d198dd6dde06ce2d72d343660acf7e49963d0dc7eaa994bb8a15f399

    Download Submit

  • C:\LabZTO\optixec.exe
    Filesize

    2.6MB

    MD5

    d87ee333ce50818bd03188dcd78678ce

    SHA1

    b1a073cc49d3fc36c9d01b59403ecde3562dd556

    SHA256

    65cfcd72e29d85250712adca2469ad813fd15450f9dae0d8918ecbee515a1181

    SHA512

    b270d9d7ff64f628b8294d8669f405c602e4c48f0a851165a8a5326d9ab060da2ccfd6514945e71060b5dd6723747a9c3671aeb4f0b71560c3260174c229a471

    Download Submit

  • C:\LabZTO\optixec.exe
    Filesize

    2.6MB

    MD5

    184a9e2af14253b48bc832fff0d79cd1

    SHA1

    3a1eb411c6c7f5ecfb8b91386c7c42a8ea952e27

    SHA256

    cbfb0c622e1db10a51761200efcccceab4298a6b0786efd7c13bddfddab82617

    SHA512

    68257d805deebed27facca55ebd4f515220aee078fa32fed824390361b09a94f99498b4ee8f2f7ba73791fc48f4582b642b0014a211e6a7e928dbf51eedb56ec

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    204B

    MD5

    11decfb44abfae64108efc9a6e0ce0a4

    SHA1

    406d8a59ed5d380789ca73cf97b91ca2629331f4

    SHA256

    4f960b836534365a86f145857c9c7a873cdeb8c8af7734e6cd6c8ca0e57b413f

    SHA512

    466ae1904780910ea624c0b5caea951c831834fa88c4de1911dd1b2b157fc9ecc3d46873f48e264d963ca6ae7d2fec3647ce656aa0084e7653e1e82ef95308d8

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    172B

    MD5

    1f1f63cf3f35895830d9eaaf01d23ff6

    SHA1

    77c49a25f269176e0063c29a63f5ae2bab83a46e

    SHA256

    7e1842d32f6de6e3f9afb428d37be6adb5fbd0e4cc2a5e3f59cbb2af5380f5e2

    SHA512

    80b88a4a6661fad1311843494bba3f31265df93397453c29508cdf2eea3e77333a43f18f6f53be3193e20b2091cf6034d2762843fe596cbf428d2364a2a0619d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
    Filesize

    2.6MB

    MD5

    61a87c2964a97f7564b6aea4a7f473f6

    SHA1

    bbc14358d8263757edfa1fd714ff6460519bf71b

    SHA256

    cc2d8f15f08213fd32bb6ee65bc6cb3e7f65e9038562668c3de8c1421d7e6a6c

    SHA512

    6e94d2cfe21e1b0f445d3459058a7180c76c0f4ee7dc99674e41274f3cf1a26cac0019db95881c758b82c3be61b8cde2b6bfac0e75f01fe71ddbc3ce929644cf

    Download Submit