Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 04:54

General

  • Target

    1811ff8e09ca8a0caa777852400ea8e0N.exe

  • Size

    2.6MB

  • MD5

    1811ff8e09ca8a0caa777852400ea8e0

  • SHA1

    d2794f6208b655058eaea704a37e688f6c98607f

  • SHA256

    8b9d6e01ed14e6dbc555f8156ed337df2decc760b1a0a92b97ae3dc1e7547987

  • SHA512

    5abceb5b58a06aaa12dd7c3d066d667cb4f0484d7de5a21d5942f380679ff0c56de254c5bce4c6bd9b6292e803af5fe857178551c06db08e2ab4967ecea0e250

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1428
    • C:\AdobeKE\abodec.exe
      C:\AdobeKE\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeKE\abodec.exe

    Filesize

    1.6MB

    MD5

    a7175fdcff2ef4b322c963705805acbd

    SHA1

    9604ff9d443a1d53349886abfc9e2b529b588240

    SHA256

    f170289a93b5bacaef3f47df2d7e5a1d736f48df9a704697bca48187a17c12d1

    SHA512

    504b9a002aecda4128163f8158b862e33e29c2b44a3db91fc03dfce12be6061808f946127e8f50d312dd699a0b843dbceb8b2cdf1a19722fe76d14f22800e389

  • C:\AdobeKE\abodec.exe

    Filesize

    2.6MB

    MD5

    000ff0f3cf6b4ece1394782358d65092

    SHA1

    524ae30cda0dea8bad37535777408beba27d963c

    SHA256

    d1797b17fbc7ea3720dc7211b44b2df4808367952cde393bc137464fcd9800b9

    SHA512

    967a5677a9c53073a5373b39ca2b4fc0dbee4d70ba9e6c57587c83e115ca90da284c467d5603c05543eb04f3cb7d9b3de2f4af72399f90ce353c23b810a56783

  • C:\GalaxK2\optiasys.exe

    Filesize

    24KB

    MD5

    541fec65455d5b34bd07a7b314994d2c

    SHA1

    55079bcde6bbc149b17389609709433e60bfb3d4

    SHA256

    a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c

    SHA512

    da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e

  • C:\GalaxK2\optiasys.exe

    Filesize

    330KB

    MD5

    223b818179288e3d74a49cb0ee3d0b05

    SHA1

    4caa7b70f2ac925d0ff72ff8fc66a015c1192385

    SHA256

    f4f49712d5ed7eae1f9c62b40855ee609a06d7aef40369fdf86393f5a4f422d7

    SHA512

    9acb57b2a0db5b2432a9d1d4183492777268a654864da301c48e519a7644c79c59492f3c27683547a92014281f59357617363994976c90436fed03ce0b98baa7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    b8313712adf9c353a9faa35e16a4716b

    SHA1

    2b8f71a321e05ac39169966c5d93056c79140ef1

    SHA256

    7ab62abe65f8105fe34ba0b7edc77b5384da7b42c5a945bbe969d13fed91f8e4

    SHA512

    c663e34c450930b5d7c42ae8173032f07d98e893b78b8ee25e01f81e2b0b9216ee6982a9957d89b964d01cca264955f8c209e96f0a55f8c9c71cd72ae25ce23c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    ca72aaeb1c2791b46837f2dbca9ccc2d

    SHA1

    6a2ff772ebdc7c9b21deafbb70c6aaa72a3be3ae

    SHA256

    ee065e5d18735c6306d5822952f54a4111a217080ad18999ed631f13fbec0e6f

    SHA512

    d036e783fbfad58d795a489b99bc6394357dbd0bb506c0e281680a8bc71f15aba33a19447032ca773ec63b52be367405a46de0ce75dfa29e2f2a95f53badff61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    24a4b2a1feff462ae43cd5e322c72d9e

    SHA1

    23c963876b6e82db59f3acce08cff1078d0961cf

    SHA256

    c298931d13d8a6733c9032d9b0dd03b55dd37425d2ffa072aed9306bf9ee47dc

    SHA512

    a009ca716309e70a6f851753c13fc0c1b07142dac4ee4aee81a2263ae2c837dd6daccd0bf99c0bffe8137e87df690771efb3c720913c34a4cbd97ec5787e1010