Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
Resource
win10v2004-20240802-en
General
-
Target
aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe
-
Size
2.6MB
-
MD5
98615eb3bdf077c6d2fd904ab9345bd9
-
SHA1
ad29b0a62a148fa6921494a207cbe1911fa8b838
-
SHA256
aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47
-
SHA512
3364f34bab6483d7d30e16ac867c0cf71f6f658d9759c6fb2276f04298b018ca13ff75c8b554bbba0fa890d7ff6a743ca39ff38e5b27ed5eb71a166ac8d48a78
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp3b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe -
Executes dropped EXE 2 IoCs
pid Process 2256 sysxbod.exe 2696 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesW6\\abodec.exe" aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIZ\\dobdevloc.exe" aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe 2256 sysxbod.exe 2696 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2256 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 30 PID 1956 wrote to memory of 2256 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 30 PID 1956 wrote to memory of 2256 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 30 PID 1956 wrote to memory of 2256 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 30 PID 1956 wrote to memory of 2696 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 31 PID 1956 wrote to memory of 2696 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 31 PID 1956 wrote to memory of 2696 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 31 PID 1956 wrote to memory of 2696 1956 aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe"C:\Users\Admin\AppData\Local\Temp\aadac45adb9edaa2efdbc2172eb10a66ea3aea659bf48a4a995ed40e7a9eda47.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\FilesW6\abodec.exeC:\FilesW6\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c9a4ce62409e3491edd05ae60a89d835
SHA1014312cb9b448bf772d95b6a4db202e398f7ebc4
SHA256d1c53642431b3e4940e9cef6b48b8384c16e23338eca0196c8b540a67dfa66aa
SHA5123ab10388a44ed91a64a400e7024db3a6d0ac4213402445161218d58ca2d560bd41f28a79be2e19946f1e1a8c030c4f5fdc9091ebfd7b39684068f2c828f1b080
-
Filesize
2.6MB
MD5a2afaa04e0cf85a7029453f1dbc6e715
SHA12ad9eebda7dbb07730fe4a4b19673f1136fe9414
SHA256e9f6aff9dd3ba9d8c6dadd34b693d5ffa74f788b6437030552520e89cff82130
SHA512632e258ad818a800c5ec711448c8115bee1e6558c317b57032429b601e6a6007db3a753128502ae3919647507cf364f6c4128dded7b5a95b01adb503333f3fb3
-
Filesize
2.6MB
MD553625deec37b51f54932ddc274764e1c
SHA1e9038f012e90d1b888defdbc8256e2ed0aa1cf94
SHA25646de67406c8d5a509bb7781282f5494d79c1933e4aba28990da499c256ea057e
SHA512f50eb7414e9cd9ea41ca6ebb5f72256642c8b0006d8f4761e93dd8bf9551f61466ff4fb89fff59070289d01be4c53785c9d26ca1f6b755ed401e232bc2389aba
-
Filesize
170B
MD51aced9cb0a1e0d28f504f2d7ce539f2a
SHA118506c5c1c6f2c8abc740ec7fc22a013dce361de
SHA256bea35b27475a1a24fb3d886ac9fb9f23c6aed42d2bef1207e9a28ae6ea084094
SHA512cd91ec1940cd123f700527fd70a908474f8e8ea9e6e295879320b541654a24ad90b344a8ab29025b4a3e9ba03ee82743b9ba796ae3a4d56705bdcf39f837ea45
-
Filesize
202B
MD5b53478b894f2dcf42795956136ab88e3
SHA183620760fdd426ff6b779542385a7ee5c7ed5404
SHA2560380cb0e98b33c3ad23a1d4e50de976c50b63c202e8a3057c69aee72f76bbb0a
SHA5124f0019cc054f1fbf016e4d1d797c64ff9314e799293840c0cb3635c72f4cea7faad00a7bd1cb34abba20ed71fb93958bf63cf6028570065e6476d1e4ec99f6d6
-
Filesize
2.6MB
MD5b34b95259f0ead4a6e19faa8abd03a13
SHA14dac14411bba3e64d4bf681cd76c6d6ba3010a0c
SHA25654b91e7977148f012ae14da41c1bd89e0eb73d26d5ce30124271f49a9cccc398
SHA512b27d8763be2a8e8f3944072eec7e80613ce4385cdc7149cc983adb15ca235589e47c1fcdb4b85df568d42d74cd5e358d9cab58d2d49e06f8201440039941f7e5