Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2650c3bfb6...0N.exe

windows7-x64

7

2650c3bfb6...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 02:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2650c3bfb6a3911960976c2bd8b46ed0N.exe

  • Size

    4.0MB

  • MD5

    2650c3bfb6a3911960976c2bd8b46ed0

  • SHA1

    30334f6f66ea9ead0f51124f12329fb543c058bc

  • SHA256

    d354a9694cf18ff7da16c078045436891ef3c5781c8a6dd83f395dfcec169b6f

  • SHA512

    0a08524b4f1d247d138b6bbafb14ac8046934d0b40cca4cbc4ef5ed19d84e16327654c5dfdcaed2448c332d5f14e78d9e221333f537e543bfa8bb8ca9fcb21af

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:776
    • C:\IntelprocKC\abodsys.exe
      C:\IntelprocKC\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1376

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=09891130DC0463563EBB058ADDE462D3; domain=.bing.com; expires=Wed, 06-Aug-2025 02:09:22 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1318A1F6C1FE4447B3F24E6F23416CFF Ref B: LON04EDGE1216 Ref C: 2024-07-12T02:09:22Z
    date: Fri, 12 Jul 2024 02:09:22 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=09891130DC0463563EBB058ADDE462D3
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=BNQJs_grvIqmsOEwTkkk__DbgJkr7a0N-_l2Z5K0N2M; domain=.bing.com; expires=Wed, 06-Aug-2025 02:09:22 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B325410E67AC43718C14BEE6977A0421 Ref B: LON04EDGE1216 Ref C: 2024-07-12T02:09:22Z
    date: Fri, 12 Jul 2024 02:09:22 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=09891130DC0463563EBB058ADDE462D3; MSPTC=BNQJs_grvIqmsOEwTkkk__DbgJkr7a0N-_l2Z5K0N2M
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1CC3DB88A11B48FAA3268B8F867A526C Ref B: LON04EDGE1216 Ref C: 2024-07-12T02:09:22Z
    date: Fri, 12 Jul 2024 02:09:22 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=16320c6da8cb494ba7fe864a90e75f8e&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocKC\abodsys.exe
    Filesize

    3.8MB

    MD5

    542fea6bb02021e9201f05e12e3cb398

    SHA1

    d35cd5c2e63f856781c7aa0a64bd1e17727e1123

    SHA256

    f7f8c74ab14babd6235847ee2d14b35fc5844dde15d90e32985036e1e80eb84f

    SHA512

    674c3519ebb39bfff5762f408c71158f375d87fd17aa1150c044928efaf63435df229eac952bd6239c455f6e3495b37c3e99cbe70eac82620637d354b30c4d01

    Download Submit

  • C:\IntelprocKC\abodsys.exe
    Filesize

    4.0MB

    MD5

    746b80b5b9434e35b95ad0fca5a0ecaf

    SHA1

    00db9513fcf54e8912e13d9a163ff5b0572ae527

    SHA256

    773ab10735cb64fcd639c76b2e69ab6120f7a8909147b808b778c2773bd0ad42

    SHA512

    372796e43768d3ee97d4b2b3e6700bc308ba5598a5fabe53d891f95829a258221e1d247fee3f25f867bf4a4c77a26d81ef1fd33123fd26f28c3ad6244a02622f

    Download Submit

  • C:\LabZKS\optixsys.exe
    Filesize

    4.0MB

    MD5

    fc06c5ad2f51b62decebf00ba688b159

    SHA1

    7daadad22732332268783cc0f6011b0d6d1c22e4

    SHA256

    5158083f9267b392e81f3b8074cab026cc25a51269fd3b2d07d14801344df178

    SHA512

    759d19259ab2be6b79f61751fbbdc1d442e2f02d21880d76d558e3d9d32214206dc44588f73b4c0824acfd2689f1439cece7f87636a80d6ab88c38a351442113

    Download Submit

  • C:\LabZKS\optixsys.exe
    Filesize

    1.3MB

    MD5

    0a32575902f35b924f42f9d1bc8f0198

    SHA1

    c7e0bc7ec82c5e4de4ba6d88f2c409791e5886a2

    SHA256

    84a4dd3eef02ecfb1675daaa725720b7f039e9c8bfc895586533bd1d8455a711

    SHA512

    4b3b58e3101760685fd0f6240a84b6e07af77f2c9f05473d54c057e875ef5c0ccdd9bff693e485f5cc2313f47284128440cff955c96bb19b59be16c51d3375c5

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    154a2e4cd30c91265dc45e6f3acef3dc

    SHA1

    d85cc53adacaf4c922f8818f9e2040357bfe7ca2

    SHA256

    9554aef54fabe69777fd6bf0d0734560c0a8c5852545d62566317942e3716f30

    SHA512

    973905664de35e4290ca7d491c9ee1fde9ebaf6763a97dde3a0ffa0a28398606d2e0e10c00370562342b2df898281d33c0ea7b0e65fcc422f0d09108a14333cf

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    175B

    MD5

    e4458d7fe8eeeb504a0573ac5c5d96d6

    SHA1

    bd1449d242bcec69dec978987e4f65d55add3e3b

    SHA256

    20c4f02bc0323f3daf9e1c8e6570969926ceb0bdb1ee49475b8d6510690bf7ea

    SHA512

    eb233e6a4dcabe9ab640e8329c63fb57a664fb8af538e6ca87808cb0a8e1da2bff04740dba966bdefdca2a88563177e2e0f22679ad99902ed87e79c0520e0378

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
    Filesize

    4.0MB

    MD5

    d1e6a656407fce2872170997f0d79541

    SHA1

    eea318c83efe209f6fb95c138bd46901ca274546

    SHA256

    d73bc8a96f90c58eaa09f04fc44771c06441b85127c5c029396212afc96ca3c2

    SHA512

    278cf80ed77528091f67b54b54390464c45338f5cc27af282992a517fc2c4004778ed7b2fe1fa52f6197bdfcc1edfc26862345fe023593e18f867feea0477bd8

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.