Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 06:31

General

  • Target

    b39e98716029fad9961399c48c93dc20N.exe

  • Size

    2.6MB

  • MD5

    b39e98716029fad9961399c48c93dc20

  • SHA1

    7863d214700f1dd6b8cb1b44fc2171a7e4f22771

  • SHA256

    5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda

  • SHA512

    e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe
    "C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4836
    • C:\UserDotDU\adobloc.exe
      C:\UserDotDU\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotDU\adobloc.exe

    Filesize

    2.6MB

    MD5

    a925afbcfd77fc6d45921836f8454ecc

    SHA1

    ede9df1545c4ca31a36aad3453f6b307fbac3ab5

    SHA256

    6882e923013fd920be422287228dfdfb9704a128d38117a25aa542c65e625185

    SHA512

    b9f049f97fd8ff8bb4d6a729b90930f17f8f06e3b4d462b040b8b3ebff88f1f76c8df36d5b0159f0d1b2c8d5dca05c2c455c28821ccd9d20b3410f7bf01cdde1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    c7d84f889ee6a953db1ede54e5a09669

    SHA1

    d0e069936839fcfc0c48c6fc38b8131ccf7efcb1

    SHA256

    bde371db17e97cc9a3b7eba15310c6e6577956e9a419537c0a33aff5830a382e

    SHA512

    2c86ec5509478c19a424b53d4ab38c6bc8f067fe1a634c6a63dd6557314e3c004c04009bae7d3dc9ff91fdadd2bf81434a5efce0f8ac4cb73c5c6317c433f1c4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    11f2893729ed1d2951b0a02d697a5568

    SHA1

    db2ba20306689e4c580242e9171095870e6507ee

    SHA256

    f3e0fa0cf6ecc6700c214a4d0ce154ed15990b7889678ed22c04437679028107

    SHA512

    ebece52a3977b3596534bf4d775bbe284122c146b90380136626f6266c7587b131f86f3b151b3e1ad004ee9dab31bfe99ba06983d401ed544a6356635b3e1841

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    fef8c54dde14d6345a1acd5968b84d4c

    SHA1

    40cdbda542e282b05fe610343a59bc0515225cf4

    SHA256

    eac4d4b74d73af13502d3d6941b183120be7b9a04230cff63fd6bb9951e0aa15

    SHA512

    b33448daa6fabbfe6a1062818d41215718fb943537ca3ddcc179f8a85daaf8ba034bd1399eb92a23a5b9bcab87bc9a905da45a0e32217657050db831f6c1d4ce

  • C:\Vid1C\dobxec.exe

    Filesize

    2.6MB

    MD5

    395fcd50f4ee8febc782c5d570ebf731

    SHA1

    0a08943d2534a51282e7473ac4883bb005734e66

    SHA256

    1e91aa1b9d6b4351e75301092e063b57fe74dcda55313662342de3153dee159d

    SHA512

    4e0cf3b2c9b00ebe85fd59af4dd59bae2b25070c6642d72beea06f634904c302c9135be5e5ef93b060362e0b176b9674bc07e6c842ff37bab172868a614f7a6b

  • C:\Vid1C\dobxec.exe

    Filesize

    336KB

    MD5

    69357a24ef22b81a3ef595c49f7fd2a1

    SHA1

    7e209cbb268b3c4900ccf81d6ce6de036163d034

    SHA256

    8bc7290a4542640f40a6595bd39733fb288d5a7559914f78146f8caea64f24e2

    SHA512

    5f06d28ef7e77cd2ad7d60ff62846def4c36e72fe01bd034fa5fd10110842cbe6f4ba56806313a475e5579353eaa280ef6237a9c7b90739536d99517c4970aeb