Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 00:37

General

  • Target

    357b4c2ed31bd6162b28608d10e696f0N.exe

  • Size

    2.6MB

  • MD5

    357b4c2ed31bd6162b28608d10e696f0

  • SHA1

    b95b88176b716e4537ca7f5ba3a50b418e23f899

  • SHA256

    e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea

  • SHA512

    0ca8a3e6135bc282cd692ff46060aa9308e6a81990bd9024efacb74a65c6a4402ec490821a329435c28b4350cf19a0fd78b738ca93cb11f6c12bc3d15a10b79f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2520
    • C:\Files3P\adobloc.exe
      C:\Files3P\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files3P\adobloc.exe

    Filesize

    2.6MB

    MD5

    abfb17803aee1d7f84ddb950f7bbaad0

    SHA1

    0a6e4b6db919eaf889d231c356ac4a66dade194f

    SHA256

    5451c054a56cf7a983c7a8728064f6eca660c4c5ec27b5b5d8f2a8dfdddcec29

    SHA512

    8530a41e597c0f7bd35ed69ae99169318f8ba32ec9c93c02c266577dbaebffced97c1d1fd7946b9793da08fa3e4f5c83965271dc4668b27ef5f26c79076aeaaa

  • C:\GalaxR1\bodaec.exe

    Filesize

    2.6MB

    MD5

    8833a04ad45909d75b35f81b75e37f67

    SHA1

    ed6dc34593c37d54c1019718db8c81f98e59b01c

    SHA256

    5114e92a0249e335860cfaa263aec3c0efefb0272441331d9530b85e99e1d5dd

    SHA512

    940f3b07dfa9c313bd65915dbda6bf12a2a178c9067e93fe027a202b4a4a5b0bb90225cdb050f296cb6a0b406b5245db12c4a70d4a1d56dcf33239ef59c88e55

  • C:\GalaxR1\bodaec.exe

    Filesize

    2.6MB

    MD5

    061d592c6b28475b3cb740675fe9db0e

    SHA1

    783ca48ec8ceb73b607e1dc75d1d1b0b6c0231cf

    SHA256

    1a51753f31617e2f1a0381e6a71659c05e57d25ad6d034deb36b1c046e2a82cb

    SHA512

    497bd07917c67d920e38d17f2e3f1853f232b504d4d4eb645d7ec53089c9c93167ce0192bce734e47ff9c9a0ea6529150dd788598724cef3310e1cdaa73844fb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    52ff42ccbd2088e4288025a6a2b026c0

    SHA1

    5dc1fa84227c44c8ca068b9ad9ee619475c409ae

    SHA256

    95929e43745187daec23abeb639411ee7a17d261a8f251a0e81fe1e0421223b8

    SHA512

    abb1f4da1ad0652a257935d2059829718d119924a414c9981216ec62bf4c125f6fcb714cdba8ddf4867e8359700be33ba39575ab2a43cf41f3657fdf362878b7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    315428c883ddcd8f3f25898002169f6a

    SHA1

    2e1856184b469ec3c008f3e1a2810560dc5d6048

    SHA256

    a087839c693f0a47798c2732f257383408f451a81dace4444a13d22043479039

    SHA512

    5627924cd1d5c92df58ea5d1bbdc28f700ac75fcdb08818a779e44dbd86df20721eb318e7a6ea3306667be2b400791d01e5d76fe8a922a829fcc10e87d2c99e5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    94989758934731b9440c4833eb703026

    SHA1

    1fae7117d9e9ac77cce47fdc8cf632f0ad72933e

    SHA256

    8c0d37e2956483871aaae7425a801179449cc3ade2291271798e81b1bd31b00e

    SHA512

    c9ab2917fc473f7e50a079d0fecb32084de61fea32c7decf23f35cde232b0e11bc636cf46e4e604299d48b42510a0f90b33edda50aba60160bbe8d72fafb9580