Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

fa1d440bb1...0N.exe

windows7-x64

9

fa1d440bb1...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa1d440bb1348e08cd5975db0dc88ed0N.exe

  • Size

    2.6MB

  • MD5

    fa1d440bb1348e08cd5975db0dc88ed0

  • SHA1

    1097f7327cd57e2927c806007f690dc7ddf86098

  • SHA256

    9177654514a8e6b4a1092a50e4cd3fc3f5f4a46e6b1da4f908d29c8bf11b5206

  • SHA512

    fc749ec42221b8235c04fd78869362d72501fd6b199434f4ed0fe2e1e783205965601ccfd45da566771ec810b47b00d9f677ae27e5bd5b401ccd7beba00c30ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpHb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa1d440bb1348e08cd5975db0dc88ed0N.exe
    "C:\Users\Admin\AppData\Local\Temp\fa1d440bb1348e08cd5975db0dc88ed0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2188
    • C:\Files18\abodec.exe
      C:\Files18\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files18\abodec.exe
    Filesize

    2.6MB

    MD5

    94c0af4baea3a7a82eb1b24c6291ad2e

    SHA1

    2f0cbfa55782c572487a1ce18951b9ae36363fd3

    SHA256

    a0e1bdec5c2fa1d9dabde012a10176fe3489061a3c0c791cf8cf1f3d35ec0be1

    SHA512

    37be06005fc9183ccebf9e69c89103c3aa7c4eb62d9de7d6b47ff8ab708bb74bd259d496d3df5276bd4fe450f1629280591f5be5bda9bf72b5938b6d4fe5e593

    Download Submit

  • C:\KaVBTF\bodxsys.exe
    Filesize

    2.6MB

    MD5

    91ed2ade67ac8b3fc0f4b91087735fbd

    SHA1

    6af3ed970013ebcd94034e2d141c5be782f2b4c9

    SHA256

    753606b7c37232d8906de5cc07e5a3d4ebea5acd8eed1ff2363e945c50f68198

    SHA512

    3c1ce6ceed6fc7f196f82c0717c4653729e5082420f2092cbe066b1840b2be85dd4d2587b3ec6bb7f84008c6a3f4e56ff54f43a959226db8fd85c51963806611

    Download Submit

  • C:\KaVBTF\bodxsys.exe
    Filesize

    2.6MB

    MD5

    4a30210f6c45260c941435ce3ebe0920

    SHA1

    0ef8eea4b39509d945660b5623f2632a049fa98d

    SHA256

    d9978f47db2b50bbc0292ee1e3d6ecc668d121d04b43b452dad1599a2318979c

    SHA512

    98fe41433f6549b52d8180eb9f6948a41a0aa06bd4e218a36eafb095fbb94fc9f2d5aac420ff4695c9026d9f5f88911e39b95a9f186e850d2a217b7dd7c5fb52

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    166B

    MD5

    86f90b4c66c23167b57254d3b0e12c0a

    SHA1

    4d4c98280b9a89d15c13322432db8ef98c51ede5

    SHA256

    3213e2f14a3ab3055a9c16e18129f7e0b689305e226916369d203c2da4d54e08

    SHA512

    c2d164c8a38925407fa4f31b489bc4194936fc3e96157a49bdf44b41a78a762ef2888847fa7c6d77a8af0ee693536a4158ad771cb9b7f8cf624fc472c23eed4a

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    198B

    MD5

    6e6136fe032a71980f8c0fe37c750b8d

    SHA1

    1f66b5e6d8dcc8d5c06e0339270a851cde1a93b1

    SHA256

    a21948ea1e2dfda380ccd0f5f49d82df3d65ded2d43d4535a48eaeb136299f5c

    SHA512

    b77e26964aa2914a3566a282fa788178ea0c31271be0c0111374f81590fa6428d19785422e61d4e9814e8274f3ae264f0e936d997934e1bee90eb6ca5af44ab1

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
    Filesize

    2.6MB

    MD5

    eaf3ffe11acc58b892b922596aaee63b

    SHA1

    4ce4475b7fce0ceeef33798947a7775ab441fa4a

    SHA256

    1ada475bcce9a05f51515f98da86e048ea4781f6cab95b90757f03644bd65429

    SHA512

    db4bae07501996ec1b781793192f84ac0d1b199b8b8acb1f0633e5e129842cd14d5eccefc38903a9ca539e570a003be5635d9437307dd33c45757629bac158a1

    Download Submit