Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2ae3c4d377...9N.exe

windows7-x64

7

2ae3c4d377...9N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 04:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

  • Size

    2.6MB

  • MD5

    b66ffb4704a0d857d711cfce898cbcb0

  • SHA1

    5a596c5156f922bbc8d72de5241af0ab8f30f3e8

  • SHA256

    2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589

  • SHA512

    b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
    "C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\AdobeNM\devbodsys.exe
      C:\AdobeNM\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeNM\devbodsys.exe
    Filesize

    2.6MB

    MD5

    a6c5e7ecce3494f0d111c6bfa2b75fbb

    SHA1

    eb2c7e8948cf80d1f0073064926a2d1c9ee3ef03

    SHA256

    c26fc08034bdec5571b0ec168dea7d45e16d86fe092416659e274d7cc035ed30

    SHA512

    dd1570beb7c5afe5e63eadb4dd9bfef61d4027b676692e576fffa9fef97668ae2c1b6107436c78646727a9f7152ee2c030026e2b1f0471c0c0e60ee6ccecebf6

    Download Submit

  • C:\KaVB2J\optixsys.exe
    Filesize

    2.6MB

    MD5

    e6626a75d6f2b477b7d0818f3d0d9478

    SHA1

    b1917f0ddad16066dac1f38a765068ef42d4b478

    SHA256

    73db243a0ee435d28802cf597f889edb76d2c9b0226829dde00e61d5363b98d8

    SHA512

    e85942747a913229d91ee3b230c934ab54c05042c9be9029c4aef94bab1d490fc730ba722ef33e16da53f320128ed0b50c8f39f92a5aadd2c67e8538f590c81e

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    04c6d8a13ae3a65dbdcf556bb72a539c

    SHA1

    58cfbc600f990bf957ba6994d1e299b611f1c07c

    SHA256

    7c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462

    SHA512

    a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    49b7c3658ebf321788bef6a2c1951a2a

    SHA1

    c64889793ce56ab7a1e632fd525473145136e03c

    SHA256

    92fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8

    SHA512

    43911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
    Filesize

    2.6MB

    MD5

    1587921aeea223084f1e73f2f327bdd2

    SHA1

    28eb3cd70700f63459f86938b0c81565232fc3ee

    SHA256

    f27e7f2a9a9ed9c6e95b955c137e17840dadb135aa4500ef80058c207e91dfde

    SHA512

    7c5df875ba7dd5fbe87792968ab4b954e3534d2230601c86e0c69b3c37ab40bec919302fd9172c3864d1caaed74408133a9231a3e7d314d984cfbef364bcf939

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.