Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 06:22

General

  • Target

    10b6e821e9a2b645f25c1ba0ce250f40N.exe

  • Size

    4.1MB

  • MD5

    10b6e821e9a2b645f25c1ba0ce250f40

  • SHA1

    5888930755f20a01dcb04851018e246ae750816f

  • SHA256

    15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c

  • SHA512

    a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe
    "C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\SysDrvQC\devoptisys.exe
      C:\SysDrvQC\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint81\bodxsys.exe

    Filesize

    1.7MB

    MD5

    cdd97b53b5ff1c4c91ddadde33a72d19

    SHA1

    e874795b48a2225d7a2708576fd4d0606378c736

    SHA256

    438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

    SHA512

    e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

  • C:\Mint81\bodxsys.exe

    Filesize

    4.1MB

    MD5

    24f288761a5e902cde4280f5f4c86856

    SHA1

    d42812a46672a2f4adf90480c64621d5fecb1a34

    SHA256

    557dec4b16fe7c956c02105fb568ef2a331dcde83a02c09263a0a2db6d89ee85

    SHA512

    da09db27bd5cb957db780c5bbe2cb9e097ceaafd0bdbe091cf8f700eae862f7c4ed729918f13d6957aaa321d87575341acdac3ff38a42d00b850889936e4e30a

  • C:\SysDrvQC\devoptisys.exe

    Filesize

    4.1MB

    MD5

    5a3013516f67d2e51fe961cf4821ac84

    SHA1

    f6ad5af495fba9d23aa808090a5c3e61a599c79b

    SHA256

    c0cffc865b3329df8aad2b4ce699fbb69cc7d8b123e3ad107584148af40f8062

    SHA512

    3c3f721c969d21689662f443877ac206f12f4dd47cd205c10010ec54a9e1c73e51e3b12a882f2558d1cac50bde8752140033ffdccceeb47ca7e7090094caf4d6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    b631c0293114bf22024366a560da0e99

    SHA1

    0e5552fc091bc2d4958cb480afc670ebd6921a71

    SHA256

    ccb6128b00518b7a64851fc5a7b616c96c0016107b50e294eb4c5f868a3632b1

    SHA512

    eafa7f9e6643cb82a8c294f6c8c82caecde541d7c136c5b6c52811eb42356f833aa783f57394f04d2a9eaf5eae64feeac646f4ae8af3c4dd9f2fb97b9c5c0ef6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    07f5887d93be0c496d5f7b8f29c3122d

    SHA1

    b31e14d96cdd92a482d34b512095d995d2be7473

    SHA256

    9307dd779ae4a00bb67c7cc92fca934326d1ed6dd35cb708adc6ce120fd3b0ca

    SHA512

    99a3cd9304b944fb6d4a6367607101d920e3332ae50411e24c0206c71752b0c1bff980857323818c7945f206bf8193bdf1a43bf6fdc9a913f2fe9d8f07e950a9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    4.1MB

    MD5

    bd8fd2ae7ca7caf572b728cba7ed317d

    SHA1

    92a983dc282809426d61426aec58923ff39a5cc4

    SHA256

    db66ea34d3dadc83ede66a60073a6125144470d2593b2ce5edd5cb1282a20382

    SHA512

    4ee4107fba03689ed05b95d23fbd7f16c53d46e1332aed323af4bdb7733fc0e000ef5595dc8b25e92543beba43e4f6599e24e024620ceb08ee414b0ed4e2f944