Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 20:17

General

  • Target

    038667b9ff12f0fb52c5d2eab925c830N.exe

  • Size

    2.6MB

  • MD5

    038667b9ff12f0fb52c5d2eab925c830

  • SHA1

    108136bd34f9d12300c6c4cfd8293ca6ab64f6e8

  • SHA256

    87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b

  • SHA512

    09f5cb3c90589cceafaf2008ba95fcb8675ec2bf80da3efb8de8e96baf9dc666f1cc769f79bf335ec6d0762ba98208ee73a60910604df0095509bef55a043f5c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpsb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe
    "C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1868
    • C:\IntelprocAK\xbodsys.exe
      C:\IntelprocAK\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocAK\xbodsys.exe

    Filesize

    2.6MB

    MD5

    3e533d6ba6f6adfe566228170cd870d6

    SHA1

    57131fc972ef2c4910c49016ad4feb3ebba6d0fc

    SHA256

    3acfbfc35fcda91cd10ae95991942d1eba24919e3f5ca4a50810a76d64b53ecf

    SHA512

    1fbd1a24d2674b97d2c669b35bde97a177d35fadfa7f168b09e8d89c1e70c8f8d536c95a228d7eed4016c76831b0c1bb62b85ba5a9f02e2a94fe7cf36e81e754

  • C:\LabZBG\bodxsys.exe

    Filesize

    2.6MB

    MD5

    232ff9c0acf3e79cd81f665cda3d386e

    SHA1

    655d5c8bd01403b0aaf274aa1c60748d06275d3a

    SHA256

    1883e05b2ef6e87916dceb946aeeec5a7f4b41091ed1fafde0254a9b8c33721a

    SHA512

    3f1d2a0e8ef94414bb6e67f57e1dfefadb03096c6629944950b2ee6559e9f8b32377cf108887f9142e41c36922aedcc2c7c3a85c82d6ed2725a9df83e89fbeb4

  • C:\LabZBG\bodxsys.exe

    Filesize

    2.6MB

    MD5

    0ed27394f218871cf6afd6c9963a9437

    SHA1

    76ca886dc2a1d00990c50c7c342f78a604163f49

    SHA256

    0c35dc0741e16c8867b139766c478b3f24758650905c26b3b89549079715f6f2

    SHA512

    77a8881aa79473af800a8529cd36c734ce584dece9839806ec6829321dd2fc54ce2312ef4f5f0433fe1d7e2bebf3f867c51384ec4479682cd237b5bfb056c1b6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    91a863146c670366b983754f4e9000c8

    SHA1

    a1951b3ff917696e78183d1a7deb019b162cdd4d

    SHA256

    c0364a7b677cbddf23303ba26584f9f3af36a843071ceab26a42d300430947f3

    SHA512

    f3162aad2690778329204fa904cc8aaf81da3e2226d3d49d602a51b8a8b56de9d9c602d7181c2ef52321b74764edcbd55063dd4179e945ffeb3f59968864fa02

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    e98db0d543da07924f9030f46c8fcdc1

    SHA1

    0dc91fdcb33c8dab90050ff4b01822d46a283f6f

    SHA256

    6c5d8846b323b37b71f5bb07074046394cce4805f4647552588b3f82945fa0c9

    SHA512

    93c900afbdb93f3aca44982d1d83b29620e5eeea87f8ecc3e0c744dd78da276a652818961d8576cc0b90c9b8493146e435e2da9e11891b1697d0b409238238d9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    f8a2ef8849e33865424db1dc31b4a395

    SHA1

    1b14752b288ae6e195704050e65946ae6dbff4ee

    SHA256

    4c1f48764f45ff20a0b497f93bf4214eaf352af42acda4d6d2c47816c17242d6

    SHA512

    9d145d942bcaf94038614d2811b89325a8618ea46090cff79846736dc4a136f4d562f54eab2876c80e6e28f7ddfb4a10150b39ebb076e3a54aa554c7b78ce0a1