Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 22:05

General

  • Target

    5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

  • Size

    2.6MB

  • MD5

    cb8ad88571316a7c5db8c8bced8165cb

  • SHA1

    cbb62a447ee5ab176cd4799cee7b8903baece1ce

  • SHA256

    5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42

  • SHA512

    01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
    "C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2840
    • C:\FilesP3\devdobloc.exe
      C:\FilesP3\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesP3\devdobloc.exe

    Filesize

    2.6MB

    MD5

    90ef49636fd0adf9715445f794134136

    SHA1

    cac94aaf36e255ba1bed7c166489e41c7fce0a1c

    SHA256

    b2999db6cfb15866ec3ad8ce2f07a55efd3e01571bd9a3f46adab248aaab3909

    SHA512

    47c28f644620a6cf23740ffc19ea69ae1db96cfe1903cee661fde6f72d4f8ce28611412ff503c07201d21a00a616499c3a31994131f790ca5c73d315f5996ee4

  • C:\LabZIX\bodasys.exe

    Filesize

    2.6MB

    MD5

    71906dc155713c70cdb0350c502a6a5e

    SHA1

    97a6163234ffaff5c4c089731c617f6b511d92df

    SHA256

    c092d7aa1d7aa0b30ad59aa8bdf10597b8dc59631c399c7859e947bb4c3a6137

    SHA512

    abf5145ab84b7f196484bfde7992978dd1c6873a043ca25c2e98bc3e1eff4f0c44e0f92062c9cdabfc44570d30100033fe05f6a402b94f71511e3dcaaa5d9664

  • C:\LabZIX\bodasys.exe

    Filesize

    32KB

    MD5

    aa404e81fdc4946ac80a30fbf1b10c14

    SHA1

    ed71e23df81576b945ef2f6e00f8f5b35f6a533b

    SHA256

    93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79

    SHA512

    3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    25a7ba2da9ad8d75279f4bd1bd8adc65

    SHA1

    bb38e5b11bfafacc5263f36cabc40765309506aa

    SHA256

    6a4b5015808bdcf1211731e246f79b018e1b42dbcef46ee0cbf0aee4abde9d55

    SHA512

    a5675af2be709c08106fc27cb76516c3d757b375211a653cbb1d001c07208c689276b0ca9eb2e608f97df2c52a1644482437bcdfe1a10240e786d8347c37f8e3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    b14a79cc399d851745678957953e4e1f

    SHA1

    221357c6160169c24d77214540150806829683c9

    SHA256

    e529fb5d01346d06a3664dce1af2f53edd0b7d46d64189477f1302427f140260

    SHA512

    3bc3a941927a1b3f8d0e47b7cee488aa3b237b5b3478ff98c141e0ddff93d846f615a007ccc5a3bfbda1e0e10aeb8eab82f0cffa28a08efa79112ba499963d70

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    a957284fe52be07a51ac65e09539b975

    SHA1

    336418a9dacec1d7ef43cc13893e4784fedcfd04

    SHA256

    ff5c5097034ea65902028faf93f643637f52c35f41434b5ad9385f389f58b545

    SHA512

    c4bc48508fea0c6d09864406494cb29aff427625685c66d2c851232ab2b5eefdfce5808a8dde2046aa864e342f3a6031c422472fb8abf58a8cdbb3d00bbf1148