Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 23:51

General

  • Target

    8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

  • Size

    3.6MB

  • MD5

    5b14a42052f3e376c2f498cc11548d97

  • SHA1

    051fbb7a841ce597da0470fce93f318c49c90961

  • SHA256

    8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3

  • SHA512

    0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
    "C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\AdobeKE\abodec.exe
      C:\AdobeKE\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeKE\abodec.exe

    Filesize

    3.6MB

    MD5

    b6bf5083b29db479b4a69f9f26c5bb7c

    SHA1

    f790d14c0fb046ffa383ecbb76877ba5afeb0e36

    SHA256

    13fb94c13d32e0ee7232d32ce1a18357cbf7c29c6b5b9e8f9465977fb10d7fe9

    SHA512

    7378cc38a9890212bd6df405ebfc008c2991b9207aa8f2315c63eb25b2b2c8c55d6abe3def4a43f11a13e248808ce97b1c6e592d23702b2f9a697e55ab694d23

  • C:\GalaxK2\optiasys.exe

    Filesize

    359KB

    MD5

    c057983625e9b39ecdf46bbd24bc4531

    SHA1

    a4e584b53854d3b397181365b864298b2f8e97a2

    SHA256

    151739623234ff03e35677bbb2bf4e940c8670cc4133ee896c64809cf858c30f

    SHA512

    24835e9b5485b6a6acdea0e10c77c29085127c6d4fc56294003852e4f617c45761ea85625645d663893f06917bc7fca3b076b1af3243cc3b7e7e804e97ebc70d

  • C:\GalaxK2\optiasys.exe

    Filesize

    253KB

    MD5

    aa74e49f2edd064f6235a02786563d7c

    SHA1

    7ebe451ae09a82c37597f209aec002aa547b2622

    SHA256

    748a5bfc821bf3fc45d71b61478dc431fcfe28eaf95bf87d2dd9a36a82b833b0

    SHA512

    3c4cc1406fafff17cb080e124a3c2261bc728d9f04257425440eb92bf19386cdd2bb5d7e64a950c00786d4ecc196b1e28931701719d7e2313f7cf559eb65c454

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    b8313712adf9c353a9faa35e16a4716b

    SHA1

    2b8f71a321e05ac39169966c5d93056c79140ef1

    SHA256

    7ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4

    SHA512

    c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    ca72aaeb1c2791b46837f2dbca9ccc2d

    SHA1

    6a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae

    SHA256

    ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f

    SHA512

    d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    3.6MB

    MD5

    94acf8768a31d3cae1136744eecb7e91

    SHA1

    67f963c34bfd5a0a00c21cc6fb3f8d5738ca67af

    SHA256

    f42dd4f33aca43fc18e3f2883ecd37e316124ad21bd101828560185d7a3b253a

    SHA512

    dae35a764c897ef8f2dae2c8ac6a2d1275a391af1353e6505c9297a8463f76ab757c8afd78f88270921e3490bc354a7418ac3e2f0719cae688edad93b76f6cc2