Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
13a7d99f039d8bea8659dfe66cd7c170N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
13a7d99f039d8bea8659dfe66cd7c170N.exe
Resource
win10v2004-20240802-en
General
-
Target
13a7d99f039d8bea8659dfe66cd7c170N.exe
-
Size
2.6MB
-
MD5
13a7d99f039d8bea8659dfe66cd7c170
-
SHA1
47f427b1a3b89bcc1370af11c0826642a4586485
-
SHA256
d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819
-
SHA512
1c9c26d2435de00aa2ad10068b77c55f216da624dc450fa870da18648989663ec4892c6dc504a6311bc3c89465bc3e71c72b60cf8950bbc341805c77cd383f3e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 13a7d99f039d8bea8659dfe66cd7c170N.exe -
Executes dropped EXE 2 IoCs
pid Process 764 sysxdob.exe 5036 adobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7L\\adobsys.exe" 13a7d99f039d8bea8659dfe66cd7c170N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1J\\optidevloc.exe" 13a7d99f039d8bea8659dfe66cd7c170N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13a7d99f039d8bea8659dfe66cd7c170N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe 764 sysxdob.exe 764 sysxdob.exe 5036 adobsys.exe 5036 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2040 wrote to memory of 764 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 87 PID 2040 wrote to memory of 764 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 87 PID 2040 wrote to memory of 764 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 87 PID 2040 wrote to memory of 5036 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 88 PID 2040 wrote to memory of 5036 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 88 PID 2040 wrote to memory of 5036 2040 13a7d99f039d8bea8659dfe66cd7c170N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe"C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
C:\SysDrv7L\adobsys.exeC:\SysDrv7L\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD59be3f94ffa756fb681b8d21b7a4a7486
SHA131a5efdc17993c173458931619cedb1b098a041b
SHA256b57ddd74a71353eeb36d7f9669eeee1397d962c4ad87cdc0e742053f344c8dff
SHA512e3318e42b3e8a1efb3447a9e57cfd8e2f97b5ba77890dd3a08bc2a6b18a33400b274ef109ec7ed77c1e1dad603eb474574f6aa3b5d1f35a5b35b6f14e8194ff4
-
Filesize
2.6MB
MD5936e0c6816a46fd05e22088def7d884d
SHA1da41e58a95bbbaf9e90b48008ece762022248e34
SHA256a1974c51c581daa01f9a82f94c1d90448c95afa2ee55fb06a4bd00372992108f
SHA512d733abbd3260d4da7b3cb937eb811a015e26f5ffd3769ca1d8d8580974e2ac2036006dfee40217ba06b5f55e23dce5a0c982258143ce961d67dd28fecb2e680c
-
Filesize
2.6MB
MD597cf1ec5b786d79c46b832d84bcc65e8
SHA150fd6e4fb134aed8c8120fa907e4e94ab9a1f500
SHA25681c3c5cb62545b3d44a76239af935ae36c4cb841ffb4a30ce18f0305733ede02
SHA512280034e73023e4da57388a20075cad782786a050a4653939136b1b355b37d97e814fd3a436a100b5e3c48dfcbdabe077f1cafc4a6555a0272c7a1352894b1527
-
Filesize
204B
MD514d5e0f61344c529149080f1bb672608
SHA16adf7029975fe2d7f5a8687df55e25ab08957ad1
SHA2563aabafe93fac566ab409dc8047a82305e8f575f9d680575aaf4cead264b1a7b0
SHA5123c9ed3e83563661b86d7c073318823b91dafaaa45c58790b783127167b36eb73e10c80bddb6da62641daaf4571b44c69bd9c2bd1537f751eb0de1e3d8019194d
-
Filesize
172B
MD5ea2bcb4880a11f9573b32f5d614529aa
SHA1c2b513e817e4a335132edf0f1e83bf3bf1e14bc8
SHA2568b396329d6dd8927afcbf49732c3c4cde91a6f97ef7008b743869770fc66d196
SHA512fbf3d776f9e0962fece2ccd804267b62f53fa988882aba3fa32942286723e1418e1d65daff6a9decd69020ba34838f5cc1fb4b26c85255f857133dc079efe801
-
Filesize
2.6MB
MD51fb9d945492143497a71e8f59d725684
SHA16b7701f3116b6e24df3300f0880b7c78d13a020a
SHA256e4b81d622e0ec7ccc37e3a02979e7425def1999ba1530c5a359af3fd85a7aefb
SHA51282bbac14031473690d6c5d5188951dde1b2f71fbcd932a5203cb5804d9a18cee3f1a17a29efd165f67eeff7470432a52b84051e54d3c8512862bb4548f2dfc5c