Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Resource
win10v2004-20240802-en
General
-
Target
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
-
Size
3.1MB
-
MD5
7721667d876a9fe1a5f9bd5ee6342df1
-
SHA1
c84f9363a8269d588a0da33557b5cb144b4eb5e7
-
SHA256
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe
-
SHA512
c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
Executes dropped EXE 2 IoCs
pid Process 1716 locxdob.exe 2264 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG2\\adobsys.exe" a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNF\\bodxec.exe" a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe 1716 locxdob.exe 2264 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 236 wrote to memory of 1716 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 30 PID 236 wrote to memory of 1716 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 30 PID 236 wrote to memory of 1716 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 30 PID 236 wrote to memory of 1716 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 30 PID 236 wrote to memory of 2264 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 31 PID 236 wrote to memory of 2264 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 31 PID 236 wrote to memory of 2264 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 31 PID 236 wrote to memory of 2264 236 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
C:\IntelprocG2\adobsys.exeC:\IntelprocG2\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53bfd5746cc1c20ec10c3bc12a6d02ead
SHA138c062f00ba5038c5d218a5db6ad631284ff2041
SHA2563dab2e85ddb2dedb8d8143c5c09c7650d0a8221d4962794e088a12a68c7592ae
SHA512d95d718089d0adb19b51150705d5b7d3bc9cd1a24c9577acd2cbfff792edde415d4bf02129e32fcef05fe853128f0e7540587f373d69b5b9f855155b4a2d1e30
-
Filesize
1.7MB
MD5cdd97b53b5ff1c4c91ddadde33a72d19
SHA1e874795b48a2225d7a2708576fd4d0606378c736
SHA256438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde
SHA512e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0
-
Filesize
8KB
MD54f22d799849ad951d457b82eff37db75
SHA14e1063fe8d636bd72f9cd680c689c23c67188ea6
SHA2566d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948
SHA5129906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a
-
Filesize
171B
MD5ecb4c5a14c072930cd2f90a21cf7e4c7
SHA15e7c6b0f05ea46a43c348296a005fe56ec802b48
SHA256c9efe70bdd8ffcca3a7072ffdcaeead73c16a9791aba00cf6a758915e1c97430
SHA51228f8ad8c7469a59f9a4ca663fdeb4838f4a17d6f8983fb9f6e3a7b5df9da9665cd12269b1205a8f27928dee2f322384f24073a3342cbda406f131e78209cbd8f
-
Filesize
203B
MD5d91f0e755948db9175994ce68120036f
SHA1a02c74b0cdfde634cf87b9a0a52df1c1a2e50fad
SHA25672507fa0598e00ad8d61e81bcca0eb32a5b803bde99e40ecf0755349f9129252
SHA5123108bd790c6d018ca68294eeb68cc74566362fa69072719a425790d02d48994187dd2f583728a4bdbcbbece7e7e747feccf343f87f6245eeb780ee66088dc591
-
Filesize
3.1MB
MD509706a47a68132c46bd478cdc850c1f2
SHA19c5f038e18a910676a9dbe5c52b560d337a7b66f
SHA256b824fe95a74558b8b0c9e4a8a1a5d8c2c6c9f6aec54dce5dd2564966133c95cb
SHA512dd22e7ab8c1433b8788737afd768cd4be2289cb62bfaceb763a296066f48b3c6c9adf1c31f54c5b6ab4ca1145d9b691d74f590f4e45548205ee3e64c44d6e2bf