Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe
Resource
win10v2004-20240802-en
General
-
Target
3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe
-
Size
2.6MB
-
MD5
0109acd74f7a6b696072ead4792639c9
-
SHA1
305da870277ac94018e4cb00664ce794da37eaf7
-
SHA256
3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866
-
SHA512
c0b62b3877dc143f2101718361ebe52e505203b6f03dfbce6652f2d89c1d1d43c9a6a9bd2fd621b344e52c570563032e29fca3db0dc2877c2217c398d6a507bb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpbb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe -
Executes dropped EXE 2 IoCs
pid Process 2280 sysadob.exe 3068 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH7\\optidevec.exe" 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8N\\xbodloc.exe" 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe 2280 sysadob.exe 3068 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2280 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 30 PID 2544 wrote to memory of 2280 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 30 PID 2544 wrote to memory of 2280 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 30 PID 2544 wrote to memory of 2280 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 30 PID 2544 wrote to memory of 3068 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 31 PID 2544 wrote to memory of 3068 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 31 PID 2544 wrote to memory of 3068 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 31 PID 2544 wrote to memory of 3068 2544 3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe"C:\Users\Admin\AppData\Local\Temp\3f4224de34fe2467178159f48be64f390021b76ef9992d08c989d5fdb7a38866.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Files8N\xbodloc.exeC:\Files8N\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58fc64be99158ce577a8ea892d6185e14
SHA1c9bbdef833ae872a4daca5a760f7e6f8e0797953
SHA2567c1dcb497cd776672917805c9188ada86c09e8823ee3d6578e5130ae90f1636c
SHA51222b0d83ca8c73187f2b30206eb591cc1addd8b16459a0002597af1e71321ecec9df58a4c141c02fa671cba4047afbe3cf798e45d7bc7bd9164febc4a41af5f4e
-
Filesize
11KB
MD54b15a8dc60fb28ba194308947f8d0bdf
SHA1addcf6f0cc5dc9577f5354dd3efdf91843caddb2
SHA256eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152
SHA51235c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e
-
Filesize
2.6MB
MD516d2654865f433bac5cbd5075490fd18
SHA1a8aacffb0edcc096c4f2b70143f0255943c7236e
SHA256ceb5014615c0cf3fc5dada889cce315d39bdd339f799649a6dd0265cee0d207c
SHA512c217701b8f8487aec5c6e626fa80db9c84837ffd27e4b4f25b13b645c125d3ddcca142b0a405595e9a5a99d02dad520dddf33a7b972f7e72e7cedd70ca0f9b80
-
Filesize
170B
MD5739d29b7c7fa9e86e6f4db505296dd2d
SHA18938bda74ffe167ecbc23d0a57407d10301811fb
SHA256af04e0bfa0031abc66e346105510aa466c418e37e94fa034d887c784773dfeac
SHA512353388dfeaf437ce7475ef5e654729d233c093cc67048fab566d9a066cbb6214d151b51bdd016885b3369f566b9d14c58c0ca8fbaf34c358b44241b984922ef5
-
Filesize
202B
MD58d376b660a1f4f484ec985a8a58fde3b
SHA1f23634a76d1415b8667abb9784c8fda58d270ac0
SHA256824d9ae2c472170393acc2f29ed3e8038f3730b42a4da8258f4548738cee8a11
SHA5127ad32b555e974da1c74399b61e0090d43f047c0c00405521a1794564b138a1de204989c8b5ce9e81cab3c88e426b82e6e6bf3b06b69bc36661ecc00616411fea
-
Filesize
2.6MB
MD576d70f1d4e6072ef22df129d52652372
SHA1b5f956724006e90ef6821eccfce66c3120358fd4
SHA256f5b9d9b8100454a7884bdbe3c7753f37a6bf73203f9878ba78e00a23e9934148
SHA512f09aaafe18729f473366bd176cac22efe7806691e073ada2d0f534def50c9c3a66b159697bd6869344e69e4798dfbdfb8a527f38fbde738c8bddc5c4fae01b13