Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 00:24

General

  • Target

    a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

  • Size

    3.1MB

  • MD5

    7721667d876a9fe1a5f9bd5ee6342df1

  • SHA1

    c84f9363a8269d588a0da33557b5cb144b4eb5e7

  • SHA256

    a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe

  • SHA512

    c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
    "C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1716
    • C:\IntelprocG2\adobsys.exe
      C:\IntelprocG2\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocG2\adobsys.exe

    Filesize

    3.1MB

    MD5

    3bfd5746cc1c20ec10c3bc12a6d02ead

    SHA1

    38c062f00ba5038c5d218a5db6ad631284ff2041

    SHA256

    3dab2e85ddb2dedb8d8143c5c09c7650d0a8221d4962794e088a12a68c7592ae

    SHA512

    d95d718089d0adb19b51150705d5b7d3bc9cd1a24c9577acd2cbfff792edde415d4bf02129e32fcef05fe853128f0e7540587f373d69b5b9f855155b4a2d1e30

  • C:\LabZNF\bodxec.exe

    Filesize

    1.7MB

    MD5

    cdd97b53b5ff1c4c91ddadde33a72d19

    SHA1

    e874795b48a2225d7a2708576fd4d0606378c736

    SHA256

    438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

    SHA512

    e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

  • C:\LabZNF\bodxec.exe

    Filesize

    8KB

    MD5

    4f22d799849ad951d457b82eff37db75

    SHA1

    4e1063fe8d636bd72f9cd680c689c23c67188ea6

    SHA256

    6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

    SHA512

    9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    ecb4c5a14c072930cd2f90a21cf7e4c7

    SHA1

    5e7c6b0f05ea46a43c348296a005fe56ec802b48

    SHA256

    c9efe70bdd8ffcca3a7072ffdcaeead73c16a9791aba00cf6a758915e1c97430

    SHA512

    28f8ad8c7469a59f9a4ca663fdeb4838f4a17d6f8983fb9f6e3a7b5df9da9665cd12269b1205a8f27928dee2f322384f24073a3342cbda406f131e78209cbd8f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    d91f0e755948db9175994ce68120036f

    SHA1

    a02c74b0cdfde634cf87b9a0a52df1c1a2e50fad

    SHA256

    72507fa0598e00ad8d61e81bcca0eb32a5b803bde99e40ecf0755349f9129252

    SHA512

    3108bd790c6d018ca68294eeb68cc74566362fa69072719a425790d02d48994187dd2f583728a4bdbcbbece7e7e747feccf343f87f6245eeb780ee66088dc591

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    3.1MB

    MD5

    09706a47a68132c46bd478cdc850c1f2

    SHA1

    9c5f038e18a910676a9dbe5c52b560d337a7b66f

    SHA256

    b824fe95a74558b8b0c9e4a8a1a5d8c2c6c9f6aec54dce5dd2564966133c95cb

    SHA512

    dd22e7ab8c1433b8788737afd768cd4be2289cb62bfaceb763a296066f48b3c6c9adf1c31f54c5b6ab4ca1145d9b691d74f590f4e45548205ee3e64c44d6e2bf