Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
1811ff8e09ca8a0caa777852400ea8e0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1811ff8e09ca8a0caa777852400ea8e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
1811ff8e09ca8a0caa777852400ea8e0N.exe
-
Size
2.6MB
-
MD5
1811ff8e09ca8a0caa777852400ea8e0
-
SHA1
d2794f6208b655058eaea704a37e688f6c98607f
-
SHA256
8b9d6e01ed14e6dbc555f8156ed337df2decc760b1a0a92b97ae3dc1e7547987
-
SHA512
5abceb5b58a06aaa12dd7c3d066d667cb4f0484d7de5a21d5942f380679ff0c56de254c5bce4c6bd9b6292e803af5fe857178551c06db08e2ab4967ecea0e250
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 1811ff8e09ca8a0caa777852400ea8e0N.exe -
Executes dropped EXE 2 IoCs
pid Process 1428 sysabod.exe 1616 abodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKE\\abodec.exe" 1811ff8e09ca8a0caa777852400ea8e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK2\\optiasys.exe" 1811ff8e09ca8a0caa777852400ea8e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1811ff8e09ca8a0caa777852400ea8e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe 1428 sysabod.exe 1428 sysabod.exe 1616 abodec.exe 1616 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4860 wrote to memory of 1428 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 91 PID 4860 wrote to memory of 1428 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 91 PID 4860 wrote to memory of 1428 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 91 PID 4860 wrote to memory of 1616 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 92 PID 4860 wrote to memory of 1616 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 92 PID 4860 wrote to memory of 1616 4860 1811ff8e09ca8a0caa777852400ea8e0N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe"C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\AdobeKE\abodec.exeC:\AdobeKE\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a7175fdcff2ef4b322c963705805acbd
SHA19604ff9d443a1d53349886abfc9e2b529b588240
SHA256f170289a93b5bacaef3f47df2d7e5a1d736f48df9a704697bca48187a17c12d1
SHA512504b9a002aecda4128163f8158b862e33e29c2b44a3db91fc03dfce12be6061808f946127e8f50d312dd699a0b843dbceb8b2cdf1a19722fe76d14f22800e389
-
Filesize
2.6MB
MD5000ff0f3cf6b4ece1394782358d65092
SHA1524ae30cda0dea8bad37535777408beba27d963c
SHA256d1797b17fbc7ea3720dc7211b44b2df4808367952cde393bc137464fcd9800b9
SHA512967a5677a9c53073a5373b39ca2b4fc0dbee4d70ba9e6c57587c83e115ca90da284c467d5603c05543eb04f3cb7d9b3de2f4af72399f90ce353c23b810a56783
-
Filesize
24KB
MD5541fec65455d5b34bd07a7b314994d2c
SHA155079bcde6bbc149b17389609709433e60bfb3d4
SHA256a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c
SHA512da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e
-
Filesize
330KB
MD5223b818179288e3d74a49cb0ee3d0b05
SHA14caa7b70f2ac925d0ff72ff8fc66a015c1192385
SHA256f4f49712d5ed7eae1f9c62b40855ee609a06d7aef40369fdf86393f5a4f422d7
SHA5129acb57b2a0db5b2432a9d1d4183492777268a654864da301c48e519a7644c79c59492f3c27683547a92014281f59357617363994976c90436fed03ce0b98baa7
-
Filesize
201B
MD5b8313712adf9c353a9faa35e16a4716b
SHA12b8f71a321e05ac39169966c5d93056c79140ef1
SHA2567ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4
SHA512c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c
-
Filesize
169B
MD5ca72aaeb1c2791b46837f2dbca9ccc2d
SHA16a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae
SHA256ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f
SHA512d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61
-
Filesize
2.6MB
MD524a4b2a1feff462ae43cd5e322c72d9e
SHA123c963876b6e82db59f3acce08cff1078d0961cf
SHA256c298931d13d8a6733c9032d9b0dd03b55dd37425d2ffa072aed9306bf9ee47dc
SHA512a009ca716309e70a6f851753c13fc0c1b07142dac4ee4aee81a2263ae2c837dd6daccd0bf99c0bffe8137e87df690771efb3c720913c34a4cbd97ec5787e1010