Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Resource
win10v2004-20240802-en
General
-
Target
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
-
Size
2.6MB
-
MD5
d73dbc077f643acecf9182e2d6ea0f00
-
SHA1
2b0caeb79eeb5e4becb6cbea14d2e0868c6f288c
-
SHA256
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6
-
SHA512
3cce366c4584ede5c2ee6c950c6f29912ccc1bdabf9d74d0ad6546dbb67216b3ee1b1cb7f914537e654e2d613068abc9609e8233c28e57e07daca35487ab0ad4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe -
Executes dropped EXE 2 IoCs
pid Process 1664 sysabod.exe 2404 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9N\\bodasys.exe" 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4C\\xdobsys.exe" 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe 1664 sysabod.exe 2404 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1664 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 31 PID 2196 wrote to memory of 1664 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 31 PID 2196 wrote to memory of 1664 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 31 PID 2196 wrote to memory of 1664 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 31 PID 2196 wrote to memory of 2404 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 32 PID 2196 wrote to memory of 2404 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 32 PID 2196 wrote to memory of 2404 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 32 PID 2196 wrote to memory of 2404 2196 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Intelproc4C\xdobsys.exeC:\Intelproc4C\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53acee1821e7113226bf0ed3e20e08717
SHA19ad884c2797db2186f745ad40bdd78a210f12f94
SHA256662ebffe8fa786dd6f6d4b62cb51db0a1a09e50b8d41adafb1f719c21dbb3401
SHA512abdbdaf96ed80c99b409795f625d98585ed87283f2d9fce709081935805dc7d7d4f98a467f604fda0851fa2a49e54385ccced1751320a97584cd1c6eaf4c875f
-
Filesize
2.6MB
MD569d5a528eb08d80afcd6a1d26c0f53d6
SHA1228158f415089f9a55e7caeb1218c2eaac2d9cce
SHA2569ffdef9b58d1013bcb7166860102ae78edd1fbeced9873a371edb754ed14e91b
SHA512c4eceb09951c0a83fcec20b6d59a8c4d53d071cb4e9c3d65085fb1069fbb5dc55c9997da66c078ae42cd1329edb6ed7105a128392fd70b1f46f475d8ca6917ad
-
Filesize
2.6MB
MD5f91390ad9bd5eeaa5d1d4544cf981caf
SHA10322c38b7b24461e1cab4b8cca95784ac6ac6ff7
SHA256fdeaa52de5a6cc0f3003c887483e2f713104a1e737f0ea22815a2fed77003813
SHA512d6ab9799a889b981693dc70f57ac29f02575d4b6b02608bb829e017aeb5664684fc29d280eb92f4a8db71ab818abbb3b3c3dda90a9246779c8b0d92b1d7f2c92
-
Filesize
173B
MD5764626d86553f0486ac032f778b54965
SHA150970a21da76097ea3a90735b0208853719e33e9
SHA256957090f685311b90322266158f93b057648eb1be30ff07c2fc143f3d7be31cde
SHA512f7203ae32f3fb34870dc65bf07d2936ec64707008c4ea278ae32ed21649300642a439cb987570aef8e73144b768a2ec7c29904b1ecc1327355750d82a7a51323
-
Filesize
205B
MD58b861dbbb4f7fc7f9232692c7edf4bb4
SHA1023fb7052a36f5fe2bb48a657518c40da0454ae5
SHA256d002a139a0fd90fad936010c290542ed4fee03d82ae2893ad8678d0d54293b62
SHA51216187ce89ee2745a52a7c21849c610f3ac43e998914d3962305174f46174a2c3d99044ca019a72318e55fba97531a1d1b37e300bbff9c199be43450d9efc3503
-
Filesize
2.6MB
MD5f13de97f4552a2469bc77ea85c43dfbe
SHA1a13a5bbcafca6962cd3f72900d7c5dabd2837767
SHA256fe5ee0c875ebd367d082d76ca2a3e619488cd3746a66d38d2df7e8fa3ca53242
SHA512ad41ba2fb0de5858fa4f0f42010a9b38ef75c7df20a156f9b3b649aa251e892202a86d9e2454b02237b4cdbf23eb501eec10c47e6d8f2bc6fb1d4e47ac787fd4