Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 22:31

General

  • Target

    467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe

  • Size

    2.6MB

  • MD5

    d73dbc077f643acecf9182e2d6ea0f00

  • SHA1

    2b0caeb79eeb5e4becb6cbea14d2e0868c6f288c

  • SHA256

    467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6

  • SHA512

    3cce366c4584ede5c2ee6c950c6f29912ccc1bdabf9d74d0ad6546dbb67216b3ee1b1cb7f914537e654e2d613068abc9609e8233c28e57e07daca35487ab0ad4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1664
    • C:\Intelproc4C\xdobsys.exe
      C:\Intelproc4C\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax9N\bodasys.exe

    Filesize

    2.6MB

    MD5

    3acee1821e7113226bf0ed3e20e08717

    SHA1

    9ad884c2797db2186f745ad40bdd78a210f12f94

    SHA256

    662ebffe8fa786dd6f6d4b62cb51db0a1a09e50b8d41adafb1f719c21dbb3401

    SHA512

    abdbdaf96ed80c99b409795f625d98585ed87283f2d9fce709081935805dc7d7d4f98a467f604fda0851fa2a49e54385ccced1751320a97584cd1c6eaf4c875f

  • C:\Galax9N\bodasys.exe

    Filesize

    2.6MB

    MD5

    69d5a528eb08d80afcd6a1d26c0f53d6

    SHA1

    228158f415089f9a55e7caeb1218c2eaac2d9cce

    SHA256

    9ffdef9b58d1013bcb7166860102ae78edd1fbeced9873a371edb754ed14e91b

    SHA512

    c4eceb09951c0a83fcec20b6d59a8c4d53d071cb4e9c3d65085fb1069fbb5dc55c9997da66c078ae42cd1329edb6ed7105a128392fd70b1f46f475d8ca6917ad

  • C:\Intelproc4C\xdobsys.exe

    Filesize

    2.6MB

    MD5

    f91390ad9bd5eeaa5d1d4544cf981caf

    SHA1

    0322c38b7b24461e1cab4b8cca95784ac6ac6ff7

    SHA256

    fdeaa52de5a6cc0f3003c887483e2f713104a1e737f0ea22815a2fed77003813

    SHA512

    d6ab9799a889b981693dc70f57ac29f02575d4b6b02608bb829e017aeb5664684fc29d280eb92f4a8db71ab818abbb3b3c3dda90a9246779c8b0d92b1d7f2c92

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    764626d86553f0486ac032f778b54965

    SHA1

    50970a21da76097ea3a90735b0208853719e33e9

    SHA256

    957090f685311b90322266158f93b057648eb1be30ff07c2fc143f3d7be31cde

    SHA512

    f7203ae32f3fb34870dc65bf07d2936ec64707008c4ea278ae32ed21649300642a439cb987570aef8e73144b768a2ec7c29904b1ecc1327355750d82a7a51323

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    8b861dbbb4f7fc7f9232692c7edf4bb4

    SHA1

    023fb7052a36f5fe2bb48a657518c40da0454ae5

    SHA256

    d002a139a0fd90fad936010c290542ed4fee03d82ae2893ad8678d0d54293b62

    SHA512

    16187ce89ee2745a52a7c21849c610f3ac43e998914d3962305174f46174a2c3d99044ca019a72318e55fba97531a1d1b37e300bbff9c199be43450d9efc3503

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    f13de97f4552a2469bc77ea85c43dfbe

    SHA1

    a13a5bbcafca6962cd3f72900d7c5dabd2837767

    SHA256

    fe5ee0c875ebd367d082d76ca2a3e619488cd3746a66d38d2df7e8fa3ca53242

    SHA512

    ad41ba2fb0de5858fa4f0f42010a9b38ef75c7df20a156f9b3b649aa251e892202a86d9e2454b02237b4cdbf23eb501eec10c47e6d8f2bc6fb1d4e47ac787fd4