Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
Resource
win10v2004-20240802-en
General
-
Target
4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
-
Size
2.6MB
-
MD5
4f9e62b641b82463c2d09941131abb83
-
SHA1
d7c1a9c10178bbdededb32e5d92cebdc3a5e6acc
-
SHA256
4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92
-
SHA512
e2468c8a336003e7121545196a144096190c69f39fa15af0abd62a592666db1522522053f9401e4657e4132d302aab365938ef7024148606f91cc5e06d76689a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe -
Executes dropped EXE 2 IoCs
pid Process 3436 locxdob.exe 1644 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files54\\abodsys.exe" 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKP\\optialoc.exe" 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe 3436 locxdob.exe 3436 locxdob.exe 1644 abodsys.exe 1644 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3076 wrote to memory of 3436 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 92 PID 3076 wrote to memory of 3436 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 92 PID 3076 wrote to memory of 3436 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 92 PID 3076 wrote to memory of 1644 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 93 PID 3076 wrote to memory of 1644 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 93 PID 3076 wrote to memory of 1644 3076 4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe"C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3436
-
-
C:\Files54\abodsys.exeC:\Files54\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c322f1f200e74465c40b6a1cc58eb732
SHA104e178021c14da4d2de4418cb50099508e58c9c6
SHA2560468c85d7066c54cfedb342784c352875e378b7b42391ff0bec2fe7fa2bbf4a1
SHA5126934724bfb3e32661d03cdecb0d76e71fcb05eac763fa9e0ea23a94afc6bc884a1a356f43c98f67da25d9f3b8116cab7fca68481ab4f956502da2be8a9d71669
-
Filesize
1.2MB
MD5ddad73d4f787cbe13851c57d7a2663ae
SHA14693ea6d94291931689c00ebd0422d1c6f9e1f53
SHA2564d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc
SHA512191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab
-
Filesize
19KB
MD5d016b0ad254ae9664284c6bec29c5ba6
SHA17ae5e9559a1832a9fb2100c1032f300c8dc78e9e
SHA2567c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374
SHA512c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430
-
Filesize
201B
MD5205f4f2818d82fdbff67fbdaa8922d9f
SHA10f9988c720c55399a7b7f83f80266084f0c9c115
SHA256262d3b48aa79d96eca5f8508ae99161e022bf8c78b992fbee586e4ed4821ec1b
SHA51237896cb9c230a6a345b389bd69f6034ede87dfdc1e230ad991dd45e5270326cdfa8c1f84819516e7836d91046233926b49d964a62a74ff0fa31f19df352f0a9a
-
Filesize
169B
MD5093e212c2bf33e985cb1fa9a76bdf9e2
SHA1269fd9d0a7fbbe77b8015a0f7eef99a1e68b5430
SHA256a48e2ed127cf169d96da0fdf3f23e2f61354fecec6b0cc5e558afd60ff3321ba
SHA512d107a1753334c11b39f17b97c6ca1716767c69340faf1509e7e8f095076a22b652fa2eb62c265950d78c39e3557ab6cd9628cc624a4959b3fca14033b25ebaa7
-
Filesize
2.6MB
MD527d56da6f39efbde56cff32b505bbeab
SHA1c17e8338aedab12c51e66d7faed8a3a639e2ee09
SHA256db09c80a7c8e3620f14d879c7489a02f6bf49b1bb0bca2a0cba71e14e346a87e
SHA51260ff9f99128737d5d20fa9b27625f5cdd2f9f45cfc1cd00409134b0dff2fa51339c2d23bfa14104f014b2b0c4478e71ff65f0224ccd3b5c82e42225b7a009268