Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
357b4c2ed31bd6162b28608d10e696f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
357b4c2ed31bd6162b28608d10e696f0N.exe
Resource
win10v2004-20240709-en
General
-
Target
357b4c2ed31bd6162b28608d10e696f0N.exe
-
Size
2.6MB
-
MD5
357b4c2ed31bd6162b28608d10e696f0
-
SHA1
b95b88176b716e4537ca7f5ba3a50b418e23f899
-
SHA256
e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea
-
SHA512
0ca8a3e6135bc282cd692ff46060aa9308e6a81990bd9024efacb74a65c6a4402ec490821a329435c28b4350cf19a0fd78b738ca93cb11f6c12bc3d15a10b79f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 357b4c2ed31bd6162b28608d10e696f0N.exe -
Executes dropped EXE 2 IoCs
pid Process 2520 sysxdob.exe 2696 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 2056 357b4c2ed31bd6162b28608d10e696f0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3P\\adobloc.exe" 357b4c2ed31bd6162b28608d10e696f0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR1\\bodaec.exe" 357b4c2ed31bd6162b28608d10e696f0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe 2520 sysxdob.exe 2696 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2520 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 29 PID 2056 wrote to memory of 2520 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 29 PID 2056 wrote to memory of 2520 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 29 PID 2056 wrote to memory of 2520 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 29 PID 2056 wrote to memory of 2696 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 30 PID 2056 wrote to memory of 2696 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 30 PID 2056 wrote to memory of 2696 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 30 PID 2056 wrote to memory of 2696 2056 357b4c2ed31bd6162b28608d10e696f0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe"C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Files3P\adobloc.exeC:\Files3P\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5abfb17803aee1d7f84ddb950f7bbaad0
SHA10a6e4b6db919eaf889d231c356ac4a66dade194f
SHA2565451c054a56cf7a983c7a8728064f6eca660c4c5ec27b5b5d8f2a8dfdddcec29
SHA5128530a41e597c0f7bd35ed69ae99169318f8ba32ec9c93c02c266577dbaebffced97c1d1fd7946b9793da08fa3e4f5c83965271dc4668b27ef5f26c79076aeaaa
-
Filesize
2.6MB
MD58833a04ad45909d75b35f81b75e37f67
SHA1ed6dc34593c37d54c1019718db8c81f98e59b01c
SHA2565114e92a0249e335860cfaa263aec3c0efefb0272441331d9530b85e99e1d5dd
SHA512940f3b07dfa9c313bd65915dbda6bf12a2a178c9067e93fe027a202b4a4a5b0bb90225cdb050f296cb6a0b406b5245db12c4a70d4a1d56dcf33239ef59c88e55
-
Filesize
2.6MB
MD5061d592c6b28475b3cb740675fe9db0e
SHA1783ca48ec8ceb73b607e1dc75d1d1b0b6c0231cf
SHA2561a51753f31617e2f1a0381e6a71659c05e57d25ad6d034deb36b1c046e2a82cb
SHA512497bd07917c67d920e38d17f2e3f1853f232b504d4d4eb645d7ec53089c9c93167ce0192bce734e47ff9c9a0ea6529150dd788598724cef3310e1cdaa73844fb
-
Filesize
168B
MD552ff42ccbd2088e4288025a6a2b026c0
SHA15dc1fa84227c44c8ca068b9ad9ee619475c409ae
SHA25695929e43745187daec23abeb639411ee7a17d261a8f251a0e81fe1e0421223b8
SHA512abb1f4da1ad0652a257935d2059829718d119924a414c9981216ec62bf4c125f6fcb714cdba8ddf4867e8359700be33ba39575ab2a43cf41f3657fdf362878b7
-
Filesize
200B
MD5315428c883ddcd8f3f25898002169f6a
SHA12e1856184b469ec3c008f3e1a2810560dc5d6048
SHA256a087839c693f0a47798c2732f257383408f451a81dace4444a13d22043479039
SHA5125627924cd1d5c92df58ea5d1bbdc28f700ac75fcdb08818a779e44dbd86df20721eb318e7a6ea3306667be2b400791d01e5d76fe8a922a829fcc10e87d2c99e5
-
Filesize
2.6MB
MD594989758934731b9440c4833eb703026
SHA11fae7117d9e9ac77cce47fdc8cf632f0ad72933e
SHA2568c0d37e2956483871aaae7425a801179449cc3ade2291271798e81b1bd31b00e
SHA512c9ab2917fc473f7e50a079d0fecb32084de61fea32c7decf23f35cde232b0e11bc636cf46e4e604299d48b42510a0f90b33edda50aba60160bbe8d72fafb9580