Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 20:42

General

  • Target

    3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

  • Size

    4.1MB

  • MD5

    6dfef0960942fdbe4855fa92f26df56f

  • SHA1

    fdb3c82bdcd84bea803f3a219b0b858f0379f3c8

  • SHA256

    3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360

  • SHA512

    76a40a3063c6afae8458626a716d671b43d7b6f569bbe1510f85e7c6675a62655b3a0ea0839936c0a888041e897e55acf4fb5786df38ab2fbdb24ffd55092eeb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
    "C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:440
    • C:\SysDrv2R\xdobloc.exe
      C:\SysDrv2R\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZKT\dobxloc.exe

    Filesize

    1.4MB

    MD5

    57c7395c5235304b8a9c4dfdb0be6bb6

    SHA1

    ad0d1cf780f78e82fd5d1d1e044596369610acf3

    SHA256

    d8ecf665fbf945c90de70193765594e2ec06b0f3032954a720c2049176bbc6c1

    SHA512

    021f5b5af0fd06c0aa0b68ef0ee7096725c0d27dd43cd0e4f46f54d2708adb13102ca4ef9ea20a2b82672dd0bddeec563120d2a3fa2c089ee3907029af255cc4

  • C:\LabZKT\dobxloc.exe

    Filesize

    9KB

    MD5

    bceeb783568178019cfa9ce19da30a69

    SHA1

    3918c6d01f7a27b2a71133015ea935c5555085ff

    SHA256

    41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

    SHA512

    7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

  • C:\SysDrv2R\xdobloc.exe

    Filesize

    4.1MB

    MD5

    1d7a8f1d27ac2d44c0ac93a83121d26d

    SHA1

    7d444a7fc45ea521dfc2b2e7ef023746ddc094f0

    SHA256

    31d089045cc383bb656709b020793aca15d206470f3f5880a86898c7e8886375

    SHA512

    9871a26f25a007d08ee9cd0a519ea74d2404097f6a9a6bdbfe2b2a8020ab3bdd9bff045b20c1c7956bd8fb7ba9c8c98b082ac1a4886ad6e28771720e6df77ea9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    c7abe1dfb5f690ff552ae5f5ac233c31

    SHA1

    4a6a0f87270a527c12f9ae3322caa5b9cd16f4e7

    SHA256

    0e71175772b265dd77a33cecd906d6bf10d3db02f2036cf19cb7abec141800b2

    SHA512

    00f106bf430039d6e172dced2d25057e5608d5e56243af1274af4eb66758d58dba40aac9593f65f9ad9db533104681d7878d5e25ad45ac1fd100edf448dc42d8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    7ba8fe1a80b81042b3993c9f7b9775f9

    SHA1

    f899fca684c968636e4cee4f800cba3a74666d7a

    SHA256

    95aed87fba88f41d2c0beee8b1f0f89131e91ca5cdfabe1ade6f68f6cc823c5a

    SHA512

    9e3dff298eb1a9af3c2558205f9573cc9097223f8edc43b9ac7fb251ba6322c67c3bbbc50c78769ffaadb701975691f6cce4470af22593a815a0db7d0373159a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    4.1MB

    MD5

    34c625ee80048e4ffb25c95a26acfebb

    SHA1

    649a0e75288f08011b4b940ef05283749ec41630

    SHA256

    19be7985a048a1aefb3ca452bc5fcfc31611d1c52ee86392b5b3fd60053f0109

    SHA512

    38a33c8728c4a8d5159f3d1855dd2b3ad5b2977274aa86c0c930f130da67368720e18d0ed9bd0d1574ae3d8f251a65c8362e5c1271811d32673b3f2b64bce191