Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 04:44 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Resource
win10v2004-20240802-en
General
-
Target
2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
-
Size
2.6MB
-
MD5
b66ffb4704a0d857d711cfce898cbcb0
-
SHA1
5a596c5156f922bbc8d72de5241af0ab8f30f3e8
-
SHA256
2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589
-
SHA512
b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 locxdob.exe 2912 devbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNM\\devbodsys.exe" 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2J\\optixsys.exe" 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe 1960 locxdob.exe 2912 devbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1960 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 29 PID 2248 wrote to memory of 1960 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 29 PID 2248 wrote to memory of 1960 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 29 PID 2248 wrote to memory of 1960 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 29 PID 2248 wrote to memory of 2912 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 30 PID 2248 wrote to memory of 2912 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 30 PID 2248 wrote to memory of 2912 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 30 PID 2248 wrote to memory of 2912 2248 2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\AdobeNM\devbodsys.exeC:\AdobeNM\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a6c5e7ecce3494f0d111c6bfa2b75fbb
SHA1eb2c7e8948cf80d1f0073064926a2d1c9ee3ef03
SHA256c26fc08034bdec5571b0ec168dea7d45e16d86fe092416659e274d7cc035ed30
SHA512dd1570beb7c5afe5e63eadb4dd9bfef61d4027b676692e576fffa9fef97668ae2c1b6107436c78646727a9f7152ee2c030026e2b1f0471c0c0e60ee6ccecebf6
-
Filesize
2.6MB
MD5e6626a75d6f2b477b7d0818f3d0d9478
SHA1b1917f0ddad16066dac1f38a765068ef42d4b478
SHA25673db243a0ee435d28802cf597f889edb76d2c9b0226829dde00e61d5363b98d8
SHA512e85942747a913229d91ee3b230c934ab54c05042c9be9029c4aef94bab1d490fc730ba722ef33e16da53f320128ed0b50c8f39f92a5aadd2c67e8538f590c81e
-
Filesize
171B
MD504c6d8a13ae3a65dbdcf556bb72a539c
SHA158cfbc600f990bf957ba6994d1e299b611f1c07c
SHA2567c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462
SHA512a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1
-
Filesize
203B
MD549b7c3658ebf321788bef6a2c1951a2a
SHA1c64889793ce56ab7a1e632fd525473145136e03c
SHA25692fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8
SHA51243911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9
-
Filesize
2.6MB
MD51587921aeea223084f1e73f2f327bdd2
SHA128eb3cd70700f63459f86938b0c81565232fc3ee
SHA256f27e7f2a9a9ed9c6e95b955c137e17840dadb135aa4500ef80058c207e91dfde
SHA5127c5df875ba7dd5fbe87792968ab4b954e3534d2230601c86e0c69b3c37ab40bec919302fd9172c3864d1caaed74408133a9231a3e7d314d984cfbef364bcf939