Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
Resource
win10v2004-20240802-en
General
-
Target
3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe
-
Size
2.6MB
-
MD5
f2b732029b7d0d90984c2257a1f69e4e
-
SHA1
1d98d0465855ca94725b21b0fe22a76e82fc43de
-
SHA256
3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2
-
SHA512
8c3fa8dfaf1e202cdb20daf23417685bd65e6789e7472b680fc130b1e6ed860d68ccffb973bea6a71566c78646b5e52a0b25cf97d4e4c49d613c4af0f76fd973
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe -
Executes dropped EXE 2 IoCs
pid Process 4828 sysxbod.exe 4016 devdobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYN\\optiasys.exe" 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv87\\devdobec.exe" 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe 4828 sysxbod.exe 4828 sysxbod.exe 4016 devdobec.exe 4016 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4828 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 82 PID 5000 wrote to memory of 4828 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 82 PID 5000 wrote to memory of 4828 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 82 PID 5000 wrote to memory of 4016 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 83 PID 5000 wrote to memory of 4016 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 83 PID 5000 wrote to memory of 4016 5000 3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe"C:\Users\Admin\AppData\Local\Temp\3427c3f0599e90990ee1d83251803dc780fd4c414318ed66f3e30e71df2e8cf2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
C:\SysDrv87\devdobec.exeC:\SysDrv87\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD55f56cd14a7959bb3ef7c4ba2068597b0
SHA1940f6e5f63b389a331d1c601710fbc8630743852
SHA256afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580
SHA5121c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb
-
Filesize
2.6MB
MD568d3d4e5f64e52b333a02cb6ebfad470
SHA14f254b85b9f7bdd0df640c2a7a6c93a5c95236da
SHA2569342407d0997f59b345324702988864d2cce8d3172ab1a697ccc9a82bb7794ed
SHA51231d27919d874e6f69d44c22bfdb657e4394f78f0b9b277b8a487ab324bbea2b0308226aad25b1b3bb05c8a0741af76b10055e264d749399f409ed7f2b3a0b06b
-
Filesize
2.6MB
MD5c46d5902a8b7dc7d8193a4acf956a7d5
SHA1a73c432aa9ae09956035197561a2dfd7dea16270
SHA2569e68a3c76a5da72a61607e05c481cf88e9adecbb61ef3c9c02c2d3c06eded100
SHA5123f6c07e14660ae19ee83fa1c747707446e9069e67dd0cde380f6b0e34e02bbd8b9e127f577617e5b793c9415dbe31aaa2395bcf98c686e4c3ed7ac17774c509f
-
Filesize
203B
MD59e7d057e1c486258ce0cf947d3d44f6e
SHA1ab9b38f5d5574b3dcb4bc4674b791fcbfca399f2
SHA256fa9525f60b328c003473fce413681d0dc32d5cae699e3812fb0fd33c6f85a94b
SHA51241d1627719d8b0831eb1f7fd65ff51cd8d6fc423ac8841ae1e19517382d7854c9e2e0a405b66ba3e68d7582f38f805fb369bc8fe3804bd5fc1f4a238c1dd4304
-
Filesize
171B
MD5ad5407c2ec688aa847d4b973670ace2e
SHA15180db9235fcff6e31ab926ec739109b49242311
SHA2568f8e5ef6fefb485c51d633e697e1051e8299507dc4920d9554c968836311d26a
SHA5128d3799032be229bdd1f00e78e0b032d19f48caa3bfa7a3de84912adbc74f555b98b20d3ca217c5f9f12650266aea46f9c79433184466bf28dba5397fb151e242
-
Filesize
2.6MB
MD5918dbe9405b96d4c8685fbe2966c3c1b
SHA189dd3b08b0d71356d5b6efb7083dcf6f52954148
SHA2564596c8b238d0a712b49ab7ef535654685a0278d38be0d3cb4a3b15bdbfae5bf2
SHA512fc54a9e268e13b7871eb5546b30947def6e5495ca6e6261c282a1da43fe7544c06d6b8946d16be4b22a38fed1053d1930ad9a2d2d4386dacce3a08e832d203be