Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 04:44 UTC

General

  • Target

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

  • Size

    2.6MB

  • MD5

    b66ffb4704a0d857d711cfce898cbcb0

  • SHA1

    5a596c5156f922bbc8d72de5241af0ab8f30f3e8

  • SHA256

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589

  • SHA512

    b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
    "C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\AdobeNM\devbodsys.exe
      C:\AdobeNM\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeNM\devbodsys.exe

    Filesize

    2.6MB

    MD5

    a6c5e7ecce3494f0d111c6bfa2b75fbb

    SHA1

    eb2c7e8948cf80d1f0073064926a2d1c9ee3ef03

    SHA256

    c26fc08034bdec5571b0ec168dea7d45e16d86fe092416659e274d7cc035ed30

    SHA512

    dd1570beb7c5afe5e63eadb4dd9bfef61d4027b676692e576fffa9fef97668ae2c1b6107436c78646727a9f7152ee2c030026e2b1f0471c0c0e60ee6ccecebf6

  • C:\KaVB2J\optixsys.exe

    Filesize

    2.6MB

    MD5

    e6626a75d6f2b477b7d0818f3d0d9478

    SHA1

    b1917f0ddad16066dac1f38a765068ef42d4b478

    SHA256

    73db243a0ee435d28802cf597f889edb76d2c9b0226829dde00e61d5363b98d8

    SHA512

    e85942747a913229d91ee3b230c934ab54c05042c9be9029c4aef94bab1d490fc730ba722ef33e16da53f320128ed0b50c8f39f92a5aadd2c67e8538f590c81e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    04c6d8a13ae3a65dbdcf556bb72a539c

    SHA1

    58cfbc600f990bf957ba6994d1e299b611f1c07c

    SHA256

    7c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462

    SHA512

    a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    49b7c3658ebf321788bef6a2c1951a2a

    SHA1

    c64889793ce56ab7a1e632fd525473145136e03c

    SHA256

    92fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8

    SHA512

    43911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    1587921aeea223084f1e73f2f327bdd2

    SHA1

    28eb3cd70700f63459f86938b0c81565232fc3ee

    SHA256

    f27e7f2a9a9ed9c6e95b955c137e17840dadb135aa4500ef80058c207e91dfde

    SHA512

    7c5df875ba7dd5fbe87792968ab4b954e3534d2230601c86e0c69b3c37ab40bec919302fd9172c3864d1caaed74408133a9231a3e7d314d984cfbef364bcf939

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.