Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 23:51

General

  • Target

    8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

  • Size

    3.6MB

  • MD5

    5b14a42052f3e376c2f498cc11548d97

  • SHA1

    051fbb7a841ce597da0470fce93f318c49c90961

  • SHA256

    8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3

  • SHA512

    0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
    "C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2252
    • C:\IntelprocSK\devdobsys.exe
      C:\IntelprocSK\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocSK\devdobsys.exe

    Filesize

    3.6MB

    MD5

    7861be40e99f90ec051370037e371eaf

    SHA1

    e1a9cd61c2f3aa5dc3650632fa85dfd1c5151ed7

    SHA256

    443bdbdab682b9621287ec5418ee543d0e87e1c6f3eda0f11a4d1134277091f4

    SHA512

    5c5104b1d8540f6a064b0134fff505a927d44a2a61cd3df3d0cdbece0966fff3fb71305c06e28dfa5dc10eda3306ce258ea3674599aad1c89e3a0c5f67744bad

  • C:\LabZS9\dobxec.exe

    Filesize

    3.6MB

    MD5

    cf1a533e0ae3081fdf724f73d51f2833

    SHA1

    1cdbaa7335208b037bad0da5abe8509361545e67

    SHA256

    2eb00deedf3fa40abafa252d8bb2cd156963f39b7f8a02c68d3841cb8b33b026

    SHA512

    ad051c105d234f5d7e0f30368b1d7688252ae2f17afccda028705183553a46f024de1da17ddce1f5528baa905a343c0bee65dfef3949e82a1279a5539f36e6d5

  • C:\LabZS9\dobxec.exe

    Filesize

    3.6MB

    MD5

    cdf056249acae28be804e0cfca52769c

    SHA1

    05fc9853b15013733c536bba485401cb83fc4cc2

    SHA256

    f7a94c5bbc2ee0dc97c24016dd0daf564cb7e06d63383aa9cb8d61eeca1f9267

    SHA512

    e21a5067809b52df80c2423a6b3337bb3014bee52bc1f0b7aeb1cd480e7c215abfdab491ef4cfc86a23312338ea869cc515ecb1af764f4487aec5362f8dc2e8d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    9c449e6dd252ec12557502545dc8a980

    SHA1

    e2d61a1cd20d373e3a2b70fa7347c93698d185eb

    SHA256

    5c68962302e37654ea9ab4ba7e172a2b57ef5c92eafc9a27e127fb74b26ad59d

    SHA512

    79c379cfdac6d668daed42533f7c7f9a629473d2f0e524266c8dba39eb75f4a5e1923929b0865191b36f4659bd611f1adf5b2842a6f3c7c3809c3d12d2a083ad

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    f14741a4f84ff83e6390d2c3ca4d663a

    SHA1

    368f51a0927eddace2bba941cf0d4fdeca202725

    SHA256

    c5533a2517abf3e318056756e14885bfa35cf7d03d499ad71fd7a63edd5142d3

    SHA512

    0701968b49079ec852495ef38ea990fe8887efa73150d97471972c221d01ddc66caa955f7754cea8adeeee60adfb63783563679a0b9e6c6a354148682f17e1f1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    3.6MB

    MD5

    1458a17195a506837979ac59ec218832

    SHA1

    08b7ef8721c676889fc89628443e77b86eb7c30c

    SHA256

    f662f5393b36992ea9efab4e9be4098d493bc5c7516f2501f748a37ecd20a093

    SHA512

    f7eea330f7a23cf84cd1417f0cd2a73e5a9ebb5eef4f8519955c58c03857620ae8be317b73fb69e485a27504890dd800051dfd8e00c3f5f70a982822ef32151e