Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 11:02

General

  • Target

    13a7d99f039d8bea8659dfe66cd7c170N.exe

  • Size

    2.6MB

  • MD5

    13a7d99f039d8bea8659dfe66cd7c170

  • SHA1

    47f427b1a3b89bcc1370af11c0826642a4586485

  • SHA256

    d36f1550867d993a3042cb7a1235fb4adb02cacdc7477f329985c3fb3d36f819

  • SHA512

    1c9c26d2435de00aa2ad10068b77c55f216da624dc450fa870da18648989663ec4892c6dc504a6311bc3c89465bc3e71c72b60cf8950bbc341805c77cd383f3e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe
    "C:\Users\Admin\AppData\Local\Temp\13a7d99f039d8bea8659dfe66cd7c170N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:764
    • C:\SysDrv7L\adobsys.exe
      C:\SysDrv7L\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZ1J\optidevloc.exe

    Filesize

    2.3MB

    MD5

    9be3f94ffa756fb681b8d21b7a4a7486

    SHA1

    31a5efdc17993c173458931619cedb1b098a041b

    SHA256

    b57ddd74a71353eeb36d7f9669eeee1397d962c4ad87cdc0e742053f344c8dff

    SHA512

    e3318e42b3e8a1efb3447a9e57cfd8e2f97b5ba77890dd3a08bc2a6b18a33400b274ef109ec7ed77c1e1dad603eb474574f6aa3b5d1f35a5b35b6f14e8194ff4

  • C:\LabZ1J\optidevloc.exe

    Filesize

    2.6MB

    MD5

    936e0c6816a46fd05e22088def7d884d

    SHA1

    da41e58a95bbbaf9e90b48008ece762022248e34

    SHA256

    a1974c51c581daa01f9a82f94c1d90448c95afa2ee55fb06a4bd00372992108f

    SHA512

    d733abbd3260d4da7b3cb937eb811a015e26f5ffd3769ca1d8d8580974e2ac2036006dfee40217ba06b5f55e23dce5a0c982258143ce961d67dd28fecb2e680c

  • C:\SysDrv7L\adobsys.exe

    Filesize

    2.6MB

    MD5

    97cf1ec5b786d79c46b832d84bcc65e8

    SHA1

    50fd6e4fb134aed8c8120fa907e4e94ab9a1f500

    SHA256

    81c3c5cb62545b3d44a76239af935ae36c4cb841ffb4a30ce18f0305733ede02

    SHA512

    280034e73023e4da57388a20075cad782786a050a4653939136b1b355b37d97e814fd3a436a100b5e3c48dfcbdabe077f1cafc4a6555a0272c7a1352894b1527

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    14d5e0f61344c529149080f1bb672608

    SHA1

    6adf7029975fe2d7f5a8687df55e25ab08957ad1

    SHA256

    3aabafe93fac566ab409dc8047a82305e8f575f9d680575aaf4cead264b1a7b0

    SHA512

    3c9ed3e83563661b86d7c073318823b91dafaaa45c58790b783127167b36eb73e10c80bddb6da62641daaf4571b44c69bd9c2bd1537f751eb0de1e3d8019194d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    ea2bcb4880a11f9573b32f5d614529aa

    SHA1

    c2b513e817e4a335132edf0f1e83bf3bf1e14bc8

    SHA256

    8b396329d6dd8927afcbf49732c3c4cde91a6f97ef7008b743869770fc66d196

    SHA512

    fbf3d776f9e0962fece2ccd804267b62f53fa988882aba3fa32942286723e1418e1d65daff6a9decd69020ba34838f5cc1fb4b26c85255f857133dc079efe801

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    1fb9d945492143497a71e8f59d725684

    SHA1

    6b7701f3116b6e24df3300f0880b7c78d13a020a

    SHA256

    e4b81d622e0ec7ccc37e3a02979e7425def1999ba1530c5a359af3fd85a7aefb

    SHA512

    82bbac14031473690d6c5d5188951dde1b2f71fbcd932a5203cb5804d9a18cee3f1a17a29efd165f67eeff7470432a52b84051e54d3c8512862bb4548f2dfc5c