Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 03:30

General

  • Target

    aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe

  • Size

    2.6MB

  • MD5

    98615eb3bdf077c6d2fd904ab9345bd9

  • SHA1

    ad29b0a62a148fa6921494a207cbe1911fa8b838

  • SHA256

    aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47

  • SHA512

    3364f34bab6483d7d30e16ac867c0cf71f6f658d9759c6fb2276f04298b018ca13ff75c8b554bbba0fa890d7ff6a743ca39ff38e5b27ed5eb71a166ac8d48a78

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp3b

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
    "C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2256
    • C:\FilesW6\abodec.exe
      C:\FilesW6\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesW6\abodec.exe

    Filesize

    2.6MB

    MD5

    c9a4ce62409e3491edd05ae60a89d835

    SHA1

    014312cb9b448bf772d95b6a4db202e398f7ebc4

    SHA256

    d1c53642431b3e4940e9cef6b48b8384c16e23338eca0196c8b540a67dfa66aa

    SHA512

    3ab10388a44ed91a64a400e7024db3a6d0ac4213402445161218d58ca2d560bd41f28a79be2e19946f1e1a8c030c4f5fdc9091ebfd7b39684068f2c828f1b080

  • C:\GalaxIZ\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    a2afaa04e0cf85a7029453f1dbc6e715

    SHA1

    2ad9eebda7dbb07730fe4a4b19673f1136fe9414

    SHA256

    e9f6aff9dd3ba9d8c6dadd34b693d5ffa74f788b6437030552520e89cff82130

    SHA512

    632e258ad818a800c5ec711448c8115bee1e6558c317b57032429b601e6a6007db3a753128502ae3919647507cf364f6c4128dded7b5a95b01adb503333f3fb3

  • C:\GalaxIZ\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    53625deec37b51f54932ddc274764e1c

    SHA1

    e9038f012e90d1b888defdbc8256e2ed0aa1cf94

    SHA256

    46de67406c8d5a509bb7781282f5494d79c1933e4aba28990da499c256ea057e

    SHA512

    f50eb7414e9cd9ea41ca6ebb5f72256642c8b0006d8f4761e93dd8bf9551f61466ff4fb89fff59070289d01be4c53785c9d26ca1f6b755ed401e232bc2389aba

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    1aced9cb0a1e0d28f504f2d7ce539f2a

    SHA1

    18506c5c1c6f2c8abc740ec7fc22a013dce361de

    SHA256

    bea35b27475a1a24fb3d886ac9fb9f23c6aed42d2bef1207e9a28ae6ea084094

    SHA512

    cd91ec1940cd123f700527fd70a908474f8e8ea9e6e295879320b541654a24ad90b344a8ab29025b4a3e9ba03ee82743b9ba796ae3a4d56705bdcf39f837ea45

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    b53478b894f2dcf42795956136ab88e3

    SHA1

    83620760fdd426ff6b779542385a7ee5c7ed5404

    SHA256

    0380cb0e98b33c3ad23a1d4e50de976c50b63c202e8a3057c69aee72f76bbb0a

    SHA512

    4f0019cc054f1fbf016e4d1d797c64ff9314e799293840c0cb3635c72f4cea7faad00a7bd1cb34abba20ed71fb93958bf63cf6028570065e6476d1e4ec99f6d6

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    b34b95259f0ead4a6e19faa8abd03a13

    SHA1

    4dac14411bba3e64d4bf681cd76c6d6ba3010a0c

    SHA256

    54b91e7977148f012ae14da41c1bd89e0eb73d26d5ce30124271f49a9cccc398

    SHA512

    b27d8763be2a8e8f3944072eec7e80613ce4385cdc7149cc983adb15ca235589e47c1fcdb4b85df568d42d74cd5e358d9cab58d2d49e06f8201440039941f7e5