Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Resource
win10v2004-20240508-en
General
-
Target
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
-
Size
2.6MB
-
MD5
2203c5fd720df2de5a72372ddcbdda13
-
SHA1
4ae371fb653954094da9d1a328d43ce680802422
-
SHA256
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54
-
SHA512
8d1eb95e7d18f68e80f95ae638e692cbdf4a544b8687549d613a912aa71985ea9ba6bcfc0398f2be9f03d16c1865cdb0a094bccce2a8dffe3e49b04f96571ff6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe -
Executes dropped EXE 2 IoCs
pid Process 1944 locxdob.exe 2540 devdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe" 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe" 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe 1944 locxdob.exe 2540 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2796 wrote to memory of 1944 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 28 PID 2796 wrote to memory of 1944 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 28 PID 2796 wrote to memory of 1944 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 28 PID 2796 wrote to memory of 1944 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 28 PID 2796 wrote to memory of 2540 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 29 PID 2796 wrote to memory of 2540 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 29 PID 2796 wrote to memory of 2540 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 29 PID 2796 wrote to memory of 2540 2796 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
C:\Adobe7M\devdobloc.exeC:\Adobe7M\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55187ae33836d5e537b76f8d35fe8775a
SHA12246bfaf3573252cfbdcb9e1477f25eb3706fb0d
SHA2569300fc509363ea36e4486730d2aeb85f51d5790d3748a6bb69a8590482586266
SHA5121cd21ad4f4dd893fb553256e8eebea4c4451d67e6d8359b5cb1a4735b58ce1ed61211a9ea74698c73fd2e24a8a9f39a4127ed426534e54ac917bd16fa52ae59f
-
Filesize
171B
MD5a7483d3253f7ee2d7dba286b2cfa41cf
SHA174f637c1ad42ac6304692db80c9457616c863af5
SHA25618dc6d7ce2717bde86f694603e2d57888d41e95cae6c0a8d5319cc521338f740
SHA5129b05f06fdbff7037121eb1f9b0fa61a0e221c4d5aa0a668a849067ad9e8a8d0b84b5af5a1d1013fa2020a2e7c948574fb7d0f6cee19f1809bf43366c33f8ff6c
-
Filesize
203B
MD510ff3d15b58211473f930d6ba7caa19b
SHA14faf3d2e1b0b015149d52ac4ade25871874c780f
SHA2563c0763177f6d0e15ea88bf814e11e59ffb3d1cf311276f9d6618307fd29cd372
SHA512194bfc207198c464d576fb8c01d7b426c5ca4d0df9bac0cd03cd5e25d4b1694919ff16e37463e72e92d324c0aa2fb1f4060f08af6f9602e574dc47163f56621e
-
Filesize
2.6MB
MD5367c09b563bfa07d6cfa4a264431faef
SHA1300438b925a4a8b84f804e5b8fed8e0f94c8504b
SHA256fc321dfc8df43f96ee06e09d36dd2a48c1748c1e0ea7a7bea272f498d1dcd25a
SHA512bd47374df6443bba09a099b9a8d1f6ed416352aba82f96d8cc4e9a8befd4ebfd8c8040126eb9c58b0a82ab0d8ca13ed2c0c6bacf38ed0f33453a055c0508fd48
-
Filesize
2.6MB
MD55abeda35ae7c525319343320ad4ad6d6
SHA1e69c0eae826cb8bc900817688dceda916a66c633
SHA25653221bf866e5be3aea9abb0581cdae75703f71a54356ef68be6f6857dd11677d
SHA512b7f3565e0c1f192bd3703da74f6a07bf46fa6bcf60ec1d5329cabb65a81fbf3a5993ef3ca951eda09b2819531811fdcf05bca6ca94216fe61aed7bff9e6ae678
-
Filesize
2.6MB
MD5ab8d6015d629fa9a3ad497aafffc7bfd
SHA19a6e3ef6e7d8c2c026bce166316b0cf4bc207ba7
SHA2566cb6bdaa52e8e384b501b2254c190b896b95380836dce33fe7f3e9a72c2348ac
SHA512dd1c4fec01a4bf2e0c8cb1a8d38d24cde8d7bf806fffbf8e29d58ef88de37ce057d85d92ced507fc954bc4f10ceb92985c609b0d3c00f9c3b441903f6f038fbc