Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
038667b9ff12f0fb52c5d2eab925c830N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
038667b9ff12f0fb52c5d2eab925c830N.exe
Resource
win10v2004-20240709-en
General
-
Target
038667b9ff12f0fb52c5d2eab925c830N.exe
-
Size
2.6MB
-
MD5
038667b9ff12f0fb52c5d2eab925c830
-
SHA1
108136bd34f9d12300c6c4cfd8293ca6ab64f6e8
-
SHA256
87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b
-
SHA512
09f5cb3c90589cceafaf2008ba95fcb8675ec2bf80da3efb8de8e96baf9dc666f1cc769f79bf335ec6d0762ba98208ee73a60910604df0095509bef55a043f5c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpsb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 038667b9ff12f0fb52c5d2eab925c830N.exe -
Executes dropped EXE 2 IoCs
pid Process 2168 sysdevdob.exe 3316 adobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvLX\\adobloc.exe" 038667b9ff12f0fb52c5d2eab925c830N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIF\\bodxloc.exe" 038667b9ff12f0fb52c5d2eab925c830N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe 2168 sysdevdob.exe 2168 sysdevdob.exe 3316 adobloc.exe 3316 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2168 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 86 PID 2708 wrote to memory of 2168 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 86 PID 2708 wrote to memory of 2168 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 86 PID 2708 wrote to memory of 3316 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 87 PID 2708 wrote to memory of 3316 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 87 PID 2708 wrote to memory of 3316 2708 038667b9ff12f0fb52c5d2eab925c830N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
-
C:\SysDrvLX\adobloc.exeC:\SysDrvLX\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5bd3a03160ba328baac42c6c385ea4cbc
SHA1dc50f0f35901023b593c1053f61541a43689146d
SHA256e5bbfd53ce0924f3cfeaed96a5692a436ffcf199e8f51b91d546a97f8c92a73a
SHA5121a9b5d52efa14adeaea97ba9912dcca6b4c1c453849dc5df8e70b232cd6264e99df393e812462ac5df9ed28142b964c6ddf411c277502979b0b9357e002bd9ee
-
Filesize
176KB
MD5d71c487da8f1e8c45d3607408ed01b7c
SHA15c16eeb4c1514529a0ddd6e60b1cccccfc8fb59a
SHA25654e211425f8e0601dfbdc8dee18f20a3b18daa99d828e5639354a1c9a04b8afa
SHA512925fced28c33622427c74e623db9f705fa6767aab6ab21eeac18c8ef3abb9468740bbb2f10047eff0ee11a74bfca2d15ad8cf78fd05d3b2cc58527b5918839d5
-
Filesize
179KB
MD5bf71ccff1edb7ebe7864719a59242753
SHA1414fbca2dae2f26f15e5f25177e9b85ce2ffdda8
SHA2563d3072d4afe057ce10151ad8b3992a79747277d4684a9ea4822514ab17665479
SHA512d648674f41d48d4b110d4cc743eef9026ea990dc4b5f5b63d0507bd3e6257e5a44ed758794700f7bf03c546f7cb4f0523a3c50b27d9b8ef6591f3be16c66bcee
-
Filesize
2.6MB
MD5d5a9e475202bc0c277017c4e6fd02733
SHA17acfdd88c73f232369d2753852b835d6619753a7
SHA25676858cadf7d1f9a5fcc07613d1675bdc8f58808a8eda22f6e2e17230c8277dca
SHA512dbd8b28b26c724aebc241a0c9e2b6b174ffce74e979220dbd0e0b8515e3583acfe44fe4671cefd1fca7c10c5d560e35be7ccd1594db9bda1c88f0f7d9cc493a2
-
Filesize
203B
MD54ad4b7e73efb9f4fae8fcfe85281d35a
SHA11091904bb7cfbb84ecb731603f2e87acbc1904ea
SHA25640cbf09f7c5241578aa1cefbb3c5958be80ba5002ffe3bd30401c41851581078
SHA512754837cc6529f8286d6e4edf15a4c5733e89186e24a941e46587f81e419972d150b54f80c9b8f896042823a0f7c3a07b4130dde90e5919b9c0aa67f136abe5d3
-
Filesize
171B
MD5d2cdfe430af88a1e5d756a6322c3ddba
SHA14d524eae239c5ff6987a5e9b1b8230089a091923
SHA256750ccaf30a6d7725a371e7448707bcf39d4501ad0a859ba112e68eeabdee5338
SHA512ec8583a3ea5b58af3605a1671fda6f5d97fd0d8498af14eea15349e456ec20ab7a69d21a4f3eff7e4df67e33b56fb27bb50c7b3f8c3dc473fb08810e8af12af9
-
Filesize
2.6MB
MD5a9cb2a669c6a31feba6b6429834025ac
SHA19e419ecbbac627945558c31063e16de110ecea7b
SHA2560b26c1df3bf9ab7aedb157b55771dd27611132556149c1b8aac9002be9d5b3df
SHA51236e1a8411377379ce531f280fc983cb15d5a42c205aa764a4c2e3b52ef2617f757425d7d6fec10cd1c0c6eef38e9b0093415515b42794823ad67d17d68ff98b6