Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 09:01

General

  • Target

    063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

  • Size

    2.6MB

  • MD5

    1f26bccdd30ec8c624318e3c1427e480

  • SHA1

    b9b59d0257e3d499b4d78b5dcfe0e7765f13edff

  • SHA256

    063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f

  • SHA512

    7589b98728a52a6c52c20d915d4fcfbc7b416e9fd20a8c1c04f2e05eecc109a4f6af089f1f2e485070128e2b4aa2cd6df2cb5193031fafc4f26ecbcac3b39c50

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUp1b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
    "C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2752
    • C:\UserDot6Z\xdobec.exe
      C:\UserDot6Z\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDot6Z\xdobec.exe

    Filesize

    2.6MB

    MD5

    5add1a988d7ea07ba75ccb5342882c40

    SHA1

    bf62ed652875f80dca9c9ad0f40aa6baa0e8c856

    SHA256

    0a881e2ed05d5ed33524bb7492f7d045dfea15f528fd8e1798c6c9e6f035afa6

    SHA512

    3d5302bbc87aae9d93dceb531eefaf270f122ea2b5c8399a1f9e403a8acaf5733ce3f1352e3a8235a8562b8de7206049465e568538af8db4979c21734486d4b4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    57d4c09e24c14e2965240bef58894522

    SHA1

    6aaafec172f223558c162d51b29b16347589acda

    SHA256

    f99c11a67546b85bb0012a62325da16e1ac6f9563baff40a169021a9adad238a

    SHA512

    ae059a1bebbd3138f7a98603cd10442dd88c8a8df16e37c5ba8f619d2029c26a1c43afc71d134a1270cd0fec64ff93bb1886da86874c97d6bebfbd607ff1ed0f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    aed741c5108d34d07f9e76200d41441b

    SHA1

    183447cf87db40d78b60b3731cb113456e83e0bc

    SHA256

    3d745e8495ac7486ffdf5a9c354534524915ef9cc5d6ad5036a627b953152bdd

    SHA512

    6dae395dffbc8aab69e21a0909e2bd92b06fc9b709e32d641b3ced81ad5db0152ef12cddfaee697725ac20d06cd952d940f1f7bb5426b01fe3e6eb222d690625

  • C:\Vid8B\boddevsys.exe

    Filesize

    2.6MB

    MD5

    413dc7f7f99915c2a91c96a866125899

    SHA1

    6e082d5fbac9ba8b3a753243f4959b0ef6422bc2

    SHA256

    8051c2d623246aedebe300705a28739614ed0d1a848092744ecc43cf7c57fecf

    SHA512

    0e79a1e3ebd7be903e5986897365a39e70c001f5277e03fd8d610899d9a12bb1578663fa9346b9ae25bfe2315d4c203b0375a522a8a27434b284d5dae49eb992

  • C:\Vid8B\boddevsys.exe

    Filesize

    57KB

    MD5

    a54d72e8045190fcd1a7c29fae94a21c

    SHA1

    f2ea661cc3cf0731a34224f5856fb93924eb24b2

    SHA256

    0b20c762da9a21258c1c72f455e159b8dace732893ef98e5aa50977354b417f2

    SHA512

    695ebd676bd1ca7122544e8b8deb2955ca2b1188a1354b07706a7fc0b7a83480ec3d0f69b58b9d585933a9b10fc174c22ef9f24672c820f5088fa4a114a0c123

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    96c507884e3db640ee26573c80ccc1f7

    SHA1

    f90a35992bec80a5b43fd32eaa5d96ab4d68ab3b

    SHA256

    3a0de699e0a690c92ed4f987abae145897cef1bfef1da9cd8daf9ded531f75f7

    SHA512

    8b63bfef58cfc6174000c6667638bc7cd56405c1b4e5dfb3bcdceb3dc76f48c38efdbc7086e727b2b8120ed4340ff61bf697a7701169ab9898dd111148658678