Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f851365670...27.exe

windows7-x64

7

f851365670...27.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe

  • Size

    2.7MB

  • MD5

    aaa9a656f2defb56d259463c4213a9b5

  • SHA1

    3bc3774fb3866f84983d8a19fc642b3433a80a3d

  • SHA256

    f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127

  • SHA512

    4b0d3cf4b0bd7ef72bc77ec85e7fc9921d7004d2de5c686dddd7e6fcda43d605629ad47bb3ec4af35d7ab4ffea488168b817f3d7e898ebbda0e6a4d2b82734f6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSq:sxX7QnxrloE5dpUpLbV

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
    "C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\Files5V\adobloc.exe
      C:\Files5V\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files5V\adobloc.exe
    Filesize

    716KB

    MD5

    cbf9fc0e208d015283a5e29f3fa661dd

    SHA1

    6f4a7146423b63ed2b62d07ec92c94208103654d

    SHA256

    a83f33c48e88bdaaf7e5f339c2cc8c1b35696de54a4de396a133f35cfebf097e

    SHA512

    2ca4e61a7940191c9b8557892dd26fa9f5fbf71b92ca8bc2f78c34c4ce69019e59dac0cef0affff4e07f582ad74df34702fb55fad9c92c33735d6ab3051403ff

    Download Submit

  • C:\Files5V\adobloc.exe
    Filesize

    2.7MB

    MD5

    f4f5b644d03326b103a643f419ab59af

    SHA1

    9d82d5ff2c99acd618c79993fd94b212891fd1ea

    SHA256

    ea4a88a6456b1a91c69ed3bcc05da487bfb1a4f5540e3a65e3fe7b15225c6319

    SHA512

    c013e3969357f9768d0f92beaa58f5c3a7561cef75c9dec65a037bd8ee7357de630d453fc33566cbedccbc061dff20115ca9189d246cf85f69ebd13fe7b23daa

    Download Submit

  • C:\MintSY\optidevec.exe
    Filesize

    32KB

    MD5

    b49076433c0bf84919c9872909ac9b4c

    SHA1

    62ccebdcdf26aab3095a02caf388459acba54554

    SHA256

    047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99

    SHA512

    13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7

    Download Submit

  • C:\MintSY\optidevec.exe
    Filesize

    1.4MB

    MD5

    e443afea9a4bde65b992194f3fab4e97

    SHA1

    38f8418c0e2b77e5477210d50ba3bc6ac516b74a

    SHA256

    7d93f5bdae01df0b1a64cc92a8c0d4ac458714606a54c101a2a2124c7ce151bb

    SHA512

    612382de8cffeabcd09eb9db1348e5794067c266f29a5e9d8000fa9d7c44b2fbe77032ba7af8fce2143d82edd2c8cdb645f31437c384c66a9f5660e95346e19b

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    172B

    MD5

    1bcbb0052c52864e17d0bc037fb29005

    SHA1

    312b59c6babbab7bef6ee1a8f4fd104d0510163c

    SHA256

    e40a6148da394f7c5d2aa29806f0647ead664af86af959d3fa7fef071b4d3512

    SHA512

    0859c89a5418a7a35438c6887b7677ae36bbfb74886e603745ec472fb2a1d8b319bbfb85b25065a832e4b941b2efcbe1413abac2aea1bdc388873eb24a1b053e

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    204B

    MD5

    6419df540660af5532df9f8ffafddb76

    SHA1

    baf2654bf5aa6109fb38cbff53dae4faa4376881

    SHA256

    7dda61e313ed170862392c0876a41763b03e0812c443fdf7d0aef11dd5b3c4e9

    SHA512

    38b1c99dd2e90e4dd85842f81eebc72c9aa9b2e8f81da5861031a976e3a889bfad92c8780fcebe772caf1cf478b0af3a6130cd8dd6b579c7f5cafb74cb73e56b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
    Filesize

    2.7MB

    MD5

    87ab623aaca2f9fb75f38b5dc3669098

    SHA1

    880229f5aa042a237bfe56cbbda317fc8d7febe4

    SHA256

    b988b417f1accc0e5110e25b967917bf9c4eedfd55761413058d0b1e48ff6667

    SHA512

    ed5c7468773f09ab02aacc18bf9ab86cf9ca7d18a43cc864a86a6ee3705f35fa95c5f68c82eaea1347779d69107302a68cca1ee5c0480c10910a9b638a24c287

    Download Submit