Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Resource
win10v2004-20240709-en
General
-
Target
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
-
Size
3.6MB
-
MD5
5b14a42052f3e376c2f498cc11548d97
-
SHA1
051fbb7a841ce597da0470fce93f318c49c90961
-
SHA256
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3
-
SHA512
0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe -
Executes dropped EXE 2 IoCs
pid Process 2252 ecadob.exe 2600 devdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSK\\devdobsys.exe" 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZS9\\dobxec.exe" 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe 2252 ecadob.exe 2600 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2252 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 30 PID 2376 wrote to memory of 2252 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 30 PID 2376 wrote to memory of 2252 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 30 PID 2376 wrote to memory of 2252 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 30 PID 2376 wrote to memory of 2600 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 31 PID 2376 wrote to memory of 2600 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 31 PID 2376 wrote to memory of 2600 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 31 PID 2376 wrote to memory of 2600 2376 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
-
C:\IntelprocSK\devdobsys.exeC:\IntelprocSK\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57861be40e99f90ec051370037e371eaf
SHA1e1a9cd61c2f3aa5dc3650632fa85dfd1c5151ed7
SHA256443bdbdab682b9621287ec5418ee543d0e87e1c6f3eda0f11a4d1134277091f4
SHA5125c5104b1d8540f6a064b0134fff505a927d44a2a61cd3df3d0cdbece0966fff3fb71305c06e28dfa5dc10eda3306ce258ea3674599aad1c89e3a0c5f67744bad
-
Filesize
3.6MB
MD5cf1a533e0ae3081fdf724f73d51f2833
SHA11cdbaa7335208b037bad0da5abe8509361545e67
SHA2562eb00deedf3fa40abafa252d8bb2cd156963f39b7f8a02c68d3841cb8b33b026
SHA512ad051c105d234f5d7e0f30368b1d7688252ae2f17afccda028705183553a46f024de1da17ddce1f5528baa905a343c0bee65dfef3949e82a1279a5539f36e6d5
-
Filesize
3.6MB
MD5cdf056249acae28be804e0cfca52769c
SHA105fc9853b15013733c536bba485401cb83fc4cc2
SHA256f7a94c5bbc2ee0dc97c24016dd0daf564cb7e06d63383aa9cb8d61eeca1f9267
SHA512e21a5067809b52df80c2423a6b3337bb3014bee52bc1f0b7aeb1cd480e7c215abfdab491ef4cfc86a23312338ea869cc515ecb1af764f4487aec5362f8dc2e8d
-
Filesize
172B
MD59c449e6dd252ec12557502545dc8a980
SHA1e2d61a1cd20d373e3a2b70fa7347c93698d185eb
SHA2565c68962302e37654ea9ab4ba7e172a2b57ef5c92eafc9a27e127fb74b26ad59d
SHA51279c379cfdac6d668daed42533f7c7f9a629473d2f0e524266c8dba39eb75f4a5e1923929b0865191b36f4659bd611f1adf5b2842a6f3c7c3809c3d12d2a083ad
-
Filesize
204B
MD5f14741a4f84ff83e6390d2c3ca4d663a
SHA1368f51a0927eddace2bba941cf0d4fdeca202725
SHA256c5533a2517abf3e318056756e14885bfa35cf7d03d499ad71fd7a63edd5142d3
SHA5120701968b49079ec852495ef38ea990fe8887efa73150d97471972c221d01ddc66caa955f7754cea8adeeee60adfb63783563679a0b9e6c6a354148682f17e1f1
-
Filesize
3.6MB
MD51458a17195a506837979ac59ec218832
SHA108b7ef8721c676889fc89628443e77b86eb7c30c
SHA256f662f5393b36992ea9efab4e9be4098d493bc5c7516f2501f748a37ecd20a093
SHA512f7eea330f7a23cf84cd1417f0cd2a73e5a9ebb5eef4f8519955c58c03857620ae8be317b73fb69e485a27504890dd800051dfd8e00c3f5f70a982822ef32151e