Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Resource
win10v2004-20240709-en
General
-
Target
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
-
Size
3.6MB
-
MD5
5b14a42052f3e376c2f498cc11548d97
-
SHA1
051fbb7a841ce597da0470fce93f318c49c90961
-
SHA256
8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3
-
SHA512
0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 sysabod.exe 5012 abodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\abodec.exe" 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK2\\optiasys.exe" 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe 1960 sysabod.exe 1960 sysabod.exe 5012 abodec.exe 5012 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4972 wrote to memory of 1960 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 87 PID 4972 wrote to memory of 1960 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 87 PID 4972 wrote to memory of 1960 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 87 PID 4972 wrote to memory of 5012 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 90 PID 4972 wrote to memory of 5012 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 90 PID 4972 wrote to memory of 5012 4972 8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\AdobeKE\abodec.exeC:\AdobeKE\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b6bf5083b29db479b4a69f9f26c5bb7c
SHA1f790d14c0fb046ffa383ecbb76877ba5afeb0e36
SHA25613fb94c13d32e0ee7232d32ce1a18357cbf7c29c6b5b9e8f9465977fb10d7fe9
SHA5127378cc38a9890212bd6df405ebfc008c2991b9207aa8f2315c63eb25b2b2c8c55d6abe3def4a43f11a13e248808ce97b1c6e592d23702b2f9a697e55ab694d23
-
Filesize
359KB
MD5c057983625e9b39ecdf46bbd24bc4531
SHA1a4e584b53854d3b397181365b864298b2f8e97a2
SHA256151739623234ff03e35677bbb2bf4e940c8670cc4133ee896c64809cf858c30f
SHA51224835e9b5485b6a6acdea0e10c77c29085127c6d4fc56294003852e4f617c45761ea85625645d663893f06917bc7fca3b076b1af3243cc3b7e7e804e97ebc70d
-
Filesize
253KB
MD5aa74e49f2edd064f6235a02786563d7c
SHA17ebe451ae09a82c37597f209aec002aa547b2622
SHA256748a5bfc821bf3fc45d71b61478dc431fcfe28eaf95bf87d2dd9a36a82b833b0
SHA5123c4cc1406fafff17cb080e124a3c2261bc728d9f04257425440eb92bf19386cdd2bb5d7e64a950c00786d4ecc196b1e28931701719d7e2313f7cf559eb65c454
-
Filesize
201B
MD5b8313712adf9c353a9faa35e16a4716b
SHA12b8f71a321e05ac39169966c5d93056c79140ef1
SHA2567ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4
SHA512c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c
-
Filesize
169B
MD5ca72aaeb1c2791b46837f2dbca9ccc2d
SHA16a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae
SHA256ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f
SHA512d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61
-
Filesize
3.6MB
MD594acf8768a31d3cae1136744eecb7e91
SHA167f963c34bfd5a0a00c21cc6fb3f8d5738ca67af
SHA256f42dd4f33aca43fc18e3f2883ecd37e316124ad21bd101828560185d7a3b253a
SHA512dae35a764c897ef8f2dae2c8ac6a2d1275a391af1353e6505c9297a8463f76ab757c8afd78f88270921e3490bc354a7418ac3e2f0719cae688edad93b76f6cc2