Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Resource
win10v2004-20240802-en
General
-
Target
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
-
Size
2.6MB
-
MD5
cb8ad88571316a7c5db8c8bced8165cb
-
SHA1
cbb62a447ee5ab176cd4799cee7b8903baece1ce
-
SHA256
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42
-
SHA512
01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe -
Executes dropped EXE 2 IoCs
pid Process 2840 locxopti.exe 2844 devdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP3\\devdobloc.exe" 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIX\\bodasys.exe" 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe 2840 locxopti.exe 2844 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2840 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 31 PID 2488 wrote to memory of 2840 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 31 PID 2488 wrote to memory of 2840 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 31 PID 2488 wrote to memory of 2840 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 31 PID 2488 wrote to memory of 2844 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 32 PID 2488 wrote to memory of 2844 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 32 PID 2488 wrote to memory of 2844 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 32 PID 2488 wrote to memory of 2844 2488 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\FilesP3\devdobloc.exeC:\FilesP3\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD590ef49636fd0adf9715445f794134136
SHA1cac94aaf36e255ba1bed7c166489e41c7fce0a1c
SHA256b2999db6cfb15866ec3ad8ce2f07a55efd3e01571bd9a3f46adab248aaab3909
SHA51247c28f644620a6cf23740ffc19ea69ae1db96cfe1903cee661fde6f72d4f8ce28611412ff503c07201d21a00a616499c3a31994131f790ca5c73d315f5996ee4
-
Filesize
2.6MB
MD571906dc155713c70cdb0350c502a6a5e
SHA197a6163234ffaff5c4c089731c617f6b511d92df
SHA256c092d7aa1d7aa0b30ad59aa8bdf10597b8dc59631c399c7859e947bb4c3a6137
SHA512abf5145ab84b7f196484bfde7992978dd1c6873a043ca25c2e98bc3e1eff4f0c44e0f92062c9cdabfc44570d30100033fe05f6a402b94f71511e3dcaaa5d9664
-
Filesize
32KB
MD5aa404e81fdc4946ac80a30fbf1b10c14
SHA1ed71e23df81576b945ef2f6e00f8f5b35f6a533b
SHA25693b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79
SHA5123e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0
-
Filesize
171B
MD525a7ba2da9ad8d75279f4bd1bd8adc65
SHA1bb38e5b11bfafacc5263f36cabc40765309506aa
SHA2566a4b5015808bdcf1211731e246f79b018e1b42dbcef46ee0cbf0aee4abde9d55
SHA512a5675af2be709c08106fc27cb76516c3d757b375211a653cbb1d001c07208c689276b0ca9eb2e608f97df2c52a1644482437bcdfe1a10240e786d8347c37f8e3
-
Filesize
203B
MD5b14a79cc399d851745678957953e4e1f
SHA1221357c6160169c24d77214540150806829683c9
SHA256e529fb5d01346d06a3664dce1af2f53edd0b7d46d64189477f1302427f140260
SHA5123bc3a941927a1b3f8d0e47b7cee488aa3b237b5b3478ff98c141e0ddff93d846f615a007ccc5a3bfbda1e0e10aeb8eab82f0cffa28a08efa79112ba499963d70
-
Filesize
2.6MB
MD5a957284fe52be07a51ac65e09539b975
SHA1336418a9dacec1d7ef43cc13893e4784fedcfd04
SHA256ff5c5097034ea65902028faf93f643637f52c35f41434b5ad9385f389f58b545
SHA512c4bc48508fea0c6d09864406494cb29aff427625685c66d2c851232ab2b5eefdfce5808a8dde2046aa864e342f3a6031c422472fb8abf58a8cdbb3d00bbf1148