Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 04:44

General

  • Target

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

  • Size

    2.6MB

  • MD5

    b66ffb4704a0d857d711cfce898cbcb0

  • SHA1

    5a596c5156f922bbc8d72de5241af0ab8f30f3e8

  • SHA256

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589

  • SHA512

    b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
    "C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\AdobeNM\devbodsys.exe
      C:\AdobeNM\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeNM\devbodsys.exe

    Filesize

    2.6MB

    MD5

    a6c5e7ecce3494f0d111c6bfa2b75fbb

    SHA1

    eb2c7e8948cf80d1f0073064926a2d1c9ee3ef03

    SHA256

    c26fc08034bdec5571b0ec168dea7d45e16d86fe092416659e274d7cc035ed30

    SHA512

    dd1570beb7c5afe5e63eadb4dd9bfef61d4027b676692e576fffa9fef97668ae2c1b6107436c78646727a9f7152ee2c030026e2b1f0471c0c0e60ee6ccecebf6

  • C:\KaVB2J\optixsys.exe

    Filesize

    2.6MB

    MD5

    e6626a75d6f2b477b7d0818f3d0d9478

    SHA1

    b1917f0ddad16066dac1f38a765068ef42d4b478

    SHA256

    73db243a0ee435d28802cf597f889edb76d2c9b0226829dde00e61d5363b98d8

    SHA512

    e85942747a913229d91ee3b230c934ab54c05042c9be9029c4aef94bab1d490fc730ba722ef33e16da53f320128ed0b50c8f39f92a5aadd2c67e8538f590c81e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    04c6d8a13ae3a65dbdcf556bb72a539c

    SHA1

    58cfbc600f990bf957ba6994d1e299b611f1c07c

    SHA256

    7c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462

    SHA512

    a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    49b7c3658ebf321788bef6a2c1951a2a

    SHA1

    c64889793ce56ab7a1e632fd525473145136e03c

    SHA256

    92fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8

    SHA512

    43911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    1587921aeea223084f1e73f2f327bdd2

    SHA1

    28eb3cd70700f63459f86938b0c81565232fc3ee

    SHA256

    f27e7f2a9a9ed9c6e95b955c137e17840dadb135aa4500ef80058c207e91dfde

    SHA512

    7c5df875ba7dd5fbe87792968ab4b954e3534d2230601c86e0c69b3c37ab40bec919302fd9172c3864d1caaed74408133a9231a3e7d314d984cfbef364bcf939