Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
10b6e821e9a2b645f25c1ba0ce250f40N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
10b6e821e9a2b645f25c1ba0ce250f40N.exe
Resource
win10v2004-20240802-en
General
-
Target
10b6e821e9a2b645f25c1ba0ce250f40N.exe
-
Size
4.1MB
-
MD5
10b6e821e9a2b645f25c1ba0ce250f40
-
SHA1
5888930755f20a01dcb04851018e246ae750816f
-
SHA256
15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c
-
SHA512
a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 10b6e821e9a2b645f25c1ba0ce250f40N.exe -
Executes dropped EXE 2 IoCs
pid Process 2784 sysdevbod.exe 2652 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQC\\devoptisys.exe" 10b6e821e9a2b645f25c1ba0ce250f40N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint81\\bodxsys.exe" 10b6e821e9a2b645f25c1ba0ce250f40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10b6e821e9a2b645f25c1ba0ce250f40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe 2784 sysdevbod.exe 2652 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2784 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 30 PID 2660 wrote to memory of 2784 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 30 PID 2660 wrote to memory of 2784 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 30 PID 2660 wrote to memory of 2784 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 30 PID 2660 wrote to memory of 2652 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 31 PID 2660 wrote to memory of 2652 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 31 PID 2660 wrote to memory of 2652 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 31 PID 2660 wrote to memory of 2652 2660 10b6e821e9a2b645f25c1ba0ce250f40N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\SysDrvQC\devoptisys.exeC:\SysDrvQC\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5cdd97b53b5ff1c4c91ddadde33a72d19
SHA1e874795b48a2225d7a2708576fd4d0606378c736
SHA256438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde
SHA512e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0
-
Filesize
4.1MB
MD524f288761a5e902cde4280f5f4c86856
SHA1d42812a46672a2f4adf90480c64621d5fecb1a34
SHA256557dec4b16fe7c956c02105fb568ef2a331dcde83a02c09263a0a2db6d89ee85
SHA512da09db27bd5cb957db780c5bbe2cb9e097ceaafd0bdbe091cf8f700eae862f7c4ed729918f13d6957aaa321d87575341acdac3ff38a42d00b850889936e4e30a
-
Filesize
4.1MB
MD55a3013516f67d2e51fe961cf4821ac84
SHA1f6ad5af495fba9d23aa808090a5c3e61a599c79b
SHA256c0cffc865b3329df8aad2b4ce699fbb69cc7d8b123e3ad107584148af40f8062
SHA5123c3f721c969d21689662f443877ac206f12f4dd47cd205c10010ec54a9e1c73e51e3b12a882f2558d1cac50bde8752140033ffdccceeb47ca7e7090094caf4d6
-
Filesize
174B
MD5b631c0293114bf22024366a560da0e99
SHA10e5552fc091bc2d4958cb480afc670ebd6921a71
SHA256ccb6128b00518b7a64851fc5a7b616c96c0016107b50e294eb4c5f868a3632b1
SHA512eafa7f9e6643cb82a8c294f6c8c82caecde541d7c136c5b6c52811eb42356f833aa783f57394f04d2a9eaf5eae64feeac646f4ae8af3c4dd9f2fb97b9c5c0ef6
-
Filesize
206B
MD507f5887d93be0c496d5f7b8f29c3122d
SHA1b31e14d96cdd92a482d34b512095d995d2be7473
SHA2569307dd779ae4a00bb67c7cc92fca934326d1ed6dd35cb708adc6ce120fd3b0ca
SHA51299a3cd9304b944fb6d4a6367607101d920e3332ae50411e24c0206c71752b0c1bff980857323818c7945f206bf8193bdf1a43bf6fdc9a913f2fe9d8f07e950a9
-
Filesize
4.1MB
MD5bd8fd2ae7ca7caf572b728cba7ed317d
SHA192a983dc282809426d61426aec58923ff39a5cc4
SHA256db66ea34d3dadc83ede66a60073a6125144470d2593b2ce5edd5cb1282a20382
SHA5124ee4107fba03689ed05b95d23fbd7f16c53d46e1332aed323af4bdb7733fc0e000ef5595dc8b25e92543beba43e4f6599e24e024620ceb08ee414b0ed4e2f944