Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
b39e98716029fad9961399c48c93dc20N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b39e98716029fad9961399c48c93dc20N.exe
Resource
win10v2004-20240802-en
General
-
Target
b39e98716029fad9961399c48c93dc20N.exe
-
Size
2.6MB
-
MD5
b39e98716029fad9961399c48c93dc20
-
SHA1
7863d214700f1dd6b8cb1b44fc2171a7e4f22771
-
SHA256
5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda
-
SHA512
e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe b39e98716029fad9961399c48c93dc20N.exe -
Executes dropped EXE 2 IoCs
pid Process 4836 sysxdob.exe 4596 adobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDU\\adobloc.exe" b39e98716029fad9961399c48c93dc20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1C\\dobxec.exe" b39e98716029fad9961399c48c93dc20N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b39e98716029fad9961399c48c93dc20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3888 b39e98716029fad9961399c48c93dc20N.exe 3888 b39e98716029fad9961399c48c93dc20N.exe 3888 b39e98716029fad9961399c48c93dc20N.exe 3888 b39e98716029fad9961399c48c93dc20N.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe 4836 sysxdob.exe 4836 sysxdob.exe 4596 adobloc.exe 4596 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3888 wrote to memory of 4836 3888 b39e98716029fad9961399c48c93dc20N.exe 88 PID 3888 wrote to memory of 4836 3888 b39e98716029fad9961399c48c93dc20N.exe 88 PID 3888 wrote to memory of 4836 3888 b39e98716029fad9961399c48c93dc20N.exe 88 PID 3888 wrote to memory of 4596 3888 b39e98716029fad9961399c48c93dc20N.exe 91 PID 3888 wrote to memory of 4596 3888 b39e98716029fad9961399c48c93dc20N.exe 91 PID 3888 wrote to memory of 4596 3888 b39e98716029fad9961399c48c93dc20N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4836
-
-
C:\UserDotDU\adobloc.exeC:\UserDotDU\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a925afbcfd77fc6d45921836f8454ecc
SHA1ede9df1545c4ca31a36aad3453f6b307fbac3ab5
SHA2566882e923013fd920be422287228dfdfb9704a128d38117a25aa542c65e625185
SHA512b9f049f97fd8ff8bb4d6a729b90930f17f8f06e3b4d462b040b8b3ebff88f1f76c8df36d5b0159f0d1b2c8d5dca05c2c455c28821ccd9d20b3410f7bf01cdde1
-
Filesize
200B
MD5c7d84f889ee6a953db1ede54e5a09669
SHA1d0e069936839fcfc0c48c6fc38b8131ccf7efcb1
SHA256bde371db17e97cc9a3b7eba15310c6e6577956e9a419537c0a33aff5830a382e
SHA5122c86ec5509478c19a424b53d4ab38c6bc8f067fe1a634c6a63dd6557314e3c004c04009bae7d3dc9ff91fdadd2bf81434a5efce0f8ac4cb73c5c6317c433f1c4
-
Filesize
168B
MD511f2893729ed1d2951b0a02d697a5568
SHA1db2ba20306689e4c580242e9171095870e6507ee
SHA256f3e0fa0cf6ecc6700c214a4d0ce154ed15990b7889678ed22c04437679028107
SHA512ebece52a3977b3596534bf4d775bbe284122c146b90380136626f6266c7587b131f86f3b151b3e1ad004ee9dab31bfe99ba06983d401ed544a6356635b3e1841
-
Filesize
2.6MB
MD5fef8c54dde14d6345a1acd5968b84d4c
SHA140cdbda542e282b05fe610343a59bc0515225cf4
SHA256eac4d4b74d73af13502d3d6941b183120be7b9a04230cff63fd6bb9951e0aa15
SHA512b33448daa6fabbfe6a1062818d41215718fb943537ca3ddcc179f8a85daaf8ba034bd1399eb92a23a5b9bcab87bc9a905da45a0e32217657050db831f6c1d4ce
-
Filesize
2.6MB
MD5395fcd50f4ee8febc782c5d570ebf731
SHA10a08943d2534a51282e7473ac4883bb005734e66
SHA2561e91aa1b9d6b4351e75301092e063b57fe74dcda55313662342de3153dee159d
SHA5124e0cf3b2c9b00ebe85fd59af4dd59bae2b25070c6642d72beea06f634904c302c9135be5e5ef93b060362e0b176b9674bc07e6c842ff37bab172868a614f7a6b
-
Filesize
336KB
MD569357a24ef22b81a3ef595c49f7fd2a1
SHA17e209cbb268b3c4900ccf81d6ce6de036163d034
SHA2568bc7290a4542640f40a6595bd39733fb288d5a7559914f78146f8caea64f24e2
SHA5125f06d28ef7e77cd2ad7d60ff62846def4c36e72fe01bd034fa5fd10110842cbe6f4ba56806313a475e5579353eaa280ef6237a9c7b90739536d99517c4970aeb