Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 20:33

General

  • Target

    3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe

  • Size

    2.6MB

  • MD5

    0109acd74f7a6b696072ead4792639c9

  • SHA1

    305da870277ac94018e4cb00664ce794da37eaf7

  • SHA256

    3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866

  • SHA512

    c0b62b3877dc143f2101718361ebe52e505203b6f03dfbce6652f2d89c1d1d43c9a6a9bd2fd621b344e52c570563032e29fca3db0dc2877c2217c398d6a507bb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpbb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe
    "C:\Users\Admin\AppData\Local\Temp\3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2280
    • C:\Files8N\xbodloc.exe
      C:\Files8N\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files8N\xbodloc.exe

    Filesize

    2.6MB

    MD5

    8fc64be99158ce577a8ea892d6185e14

    SHA1

    c9bbdef833ae872a4daca5a760f7e6f8e0797953

    SHA256

    7c1dcb497cd776672917805c9188ada86c09e8823ee3d6578e5130ae90f1636c

    SHA512

    22b0d83ca8c73187f2b30206eb591cc1addd8b16459a0002597af1e71321ecec9df58a4c141c02fa671cba4047afbe3cf798e45d7bc7bd9164febc4a41af5f4e

  • C:\KaVBH7\optidevec.exe

    Filesize

    11KB

    MD5

    4b15a8dc60fb28ba194308947f8d0bdf

    SHA1

    addcf6f0cc5dc9577f5354dd3efdf91843caddb2

    SHA256

    eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

    SHA512

    35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

  • C:\KaVBH7\optidevec.exe

    Filesize

    2.6MB

    MD5

    16d2654865f433bac5cbd5075490fd18

    SHA1

    a8aacffb0edcc096c4f2b70143f0255943c7236e

    SHA256

    ceb5014615c0cf3fc5dada889cce315d39bdd339f799649a6dd0265cee0d207c

    SHA512

    c217701b8f8487aec5c6e626fa80db9c84837ffd27e4b4f25b13b645c125d3ddcca142b0a405595e9a5a99d02dad520dddf33a7b972f7e72e7cedd70ca0f9b80

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    739d29b7c7fa9e86e6f4db505296dd2d

    SHA1

    8938bda74ffe167ecbc23d0a57407d10301811fb

    SHA256

    af04e0bfa0031abc66e346105510aa466c418e37e94fa034d887c784773dfeac

    SHA512

    353388dfeaf437ce7475ef5e654729d233c093cc67048fab566d9a066cbb6214d151b51bdd016885b3369f566b9d14c58c0ca8fbaf34c358b44241b984922ef5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    8d376b660a1f4f484ec985a8a58fde3b

    SHA1

    f23634a76d1415b8667abb9784c8fda58d270ac0

    SHA256

    824d9ae2c472170393acc2f29ed3e8038f3730b42a4da8258f4548738cee8a11

    SHA512

    7ad32b555e974da1c74399b61e0090d43f047c0c00405521a1794564b138a1de204989c8b5ce9e81cab3c88e426b82e6e6bf3b06b69bc36661ecc00616411fea

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    76d70f1d4e6072ef22df129d52652372

    SHA1

    b5f956724006e90ef6821eccfce66c3120358fd4

    SHA256

    f5b9d9b8100454a7884bdbe3c7753f37a6bf73203f9878ba78e00a23e9934148

    SHA512

    f09aaafe18729f473366bd176cac22efe7806691e073ada2d0f534def50c9c3a66b159697bd6869344e69e4798dfbdfb8a527f38fbde738c8bddc5c4fae01b13