Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

b2972ce932...0N.exe

windows7-x64

9

b2972ce932...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2972ce932617f5d4de02389a7865dd0N.exe

  • Size

    2.6MB

  • MD5

    b2972ce932617f5d4de02389a7865dd0

  • SHA1

    06d0d34e44e8fa53c6ec9ca2bef5bf082a4c8fcd

  • SHA256

    50dff465a2b9c4019d124fff7379f583a44783ae92ee7b4c9259171f35267ff2

  • SHA512

    960d2cbce67fdc186d5313dc79e07f4770d0784699603d58a969adabdb1e88006ef055a98700056eb1d435ec5b3e863a557c2e149705db20d0abbc419b69bad5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpLb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2972ce932617f5d4de02389a7865dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b2972ce932617f5d4de02389a7865dd0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4248
    • C:\SysDrvHR\devdobsys.exe
      C:\SysDrvHR\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZLJ\bodxloc.exe
    Filesize

    2.6MB

    MD5

    6c348a38b226c96e421ba5c2f09a7115

    SHA1

    d3b4015f3e108e3eab31fe89c6bab23e72b3993e

    SHA256

    c33bd43994c0879f109785b5cef7fe980f8ec96df6584df692e14ca1c5063cac

    SHA512

    8568273a4b4d5f5047902a3f623f14265a34df72c2fac674d91822c1af59d1c54b6986fa3a743c3afda310a3d2b3ea01d876db418c1a44b6388fb5d98550aa65

    Download Submit

  • C:\LabZLJ\bodxloc.exe
    Filesize

    2.6MB

    MD5

    39408516959ec0d2a544adcd1fe149d8

    SHA1

    fa302f1ebab8eba621e96336aaf101c1ace37cee

    SHA256

    1807a86ac041d115ab967032405c0b317e8c9fd3942e86b299ec0ba4704f5dca

    SHA512

    acb5ac8334b3401b886614e30977960bd4b78118e87f6c837593e6f6bb69c4fbf183e3799b76ebf6d5b1515e028ed8be5cb5a96dfdc9d16a5f167dfff1a2aec4

    Download Submit

  • C:\SysDrvHR\devdobsys.exe
    Filesize

    2.6MB

    MD5

    0cfd3d2b20ce92ec3e7b77c2f7b8882d

    SHA1

    fbcb2c761a33a2baf7a39fc7e2f07b5de000d58d

    SHA256

    de8617a284111b285ab7790d348d6797de77fc05a86107957e00cf7f23de9331

    SHA512

    7f45c36cf01ab4fce75c4203dc32603d64c6b12989de09fa0965231b24f7baf5216a12df6735d63f49b6cd2556120ac622223db933c5618209ebd25dea945468

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    203B

    MD5

    1b94da12452e6682c6ab786983f953b1

    SHA1

    aac177646c4e17dffa7cbe9ad7d1303b755f824d

    SHA256

    5a04b5520ece0505189199746446c65fc77e7ac19a3d8bd5baf80dc965de6489

    SHA512

    161da0a2624129b76f5084aae2917771dcb52087a52ae0fafac802e263b09a42c292cf08e1b4261906f9929ad5b3ddb4c8caddb9f7c545cb1deb127196657696

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    171B

    MD5

    6fe4408062ec6f3dfd9e4c84d03f4117

    SHA1

    3a81d97bd60c798bc94c633f40bb3832e1f10e76

    SHA256

    6542120c98ee80456737e8cc9a9959fb0be3b9a571196a3dca93204727935d13

    SHA512

    bfdb7c3d17feef3240b7c9067dc7c75f94fda2b08bf3a3e324360f03db5814ff76a9a8cb2965c9397fe8f68c4010feb85e127c515a4d5b03121f3fe82e3e9bda

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
    Filesize

    2.6MB

    MD5

    0d448028d5361023f788b878fdb528dd

    SHA1

    edfef3d61dafd3f58d7733b6e4e5f5366ce9800d

    SHA256

    8a1e6604136d41fb109d6b8a2942ae1d1c9a60a2a1421a97dfe24135971cea58

    SHA512

    569cedba9ca0ce18f3a91e001f63f3242be8d90b3262f5f709ebd39908283799322ca2f875207e4dae33fc7369fd25821f47eace382a52cdcabe88cfb9bbdf1b

    Download Submit