Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 01:14

General

  • Target

    95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe

  • Size

    2.6MB

  • MD5

    7bc9e1cb0a174fea59f5f782355b9ae8

  • SHA1

    ff5fff09a26ae794d698938f3dd2d89625d5e990

  • SHA256

    95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420

  • SHA512

    e97cee50cfd69556d8cb57f7f3527f365920858f42fbcb862ad7167bc49a1c04fb459cb3ae2aa3d58fc1fa5d12842c3c8a884b28eb717a8a85f15681ed3d8997

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpJb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
    "C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2224
    • C:\FilesL1\adobec.exe
      C:\FilesL1\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesL1\adobec.exe

    Filesize

    2.6MB

    MD5

    ff4cca42378d37433e11c82c6b8f5ccd

    SHA1

    cb834e545d3aab1e05c842f6ea212c6853dd2bfe

    SHA256

    6c5f86f083f8c604c4521d1a8e51e5ac0974e4a23c269f7c4ea3252178414c57

    SHA512

    ecf522876e3c73ec83802a64fed806a5e3e68a1a8134faa5b47557e897406510a558395e10abccb8a42dfe76a62bd0e90de13aded5b264e99ff3b63010618229

  • C:\KaVBTT\dobasys.exe

    Filesize

    2.6MB

    MD5

    d48c87fcc9b7fe3421c0cf033a11a35f

    SHA1

    9c5ad489cd10c7982bfc8d4f37bc9d65c365fdab

    SHA256

    863db50f2dd43eee6faf0e16e03583ae20475f975c0228ad968132ded7710c4a

    SHA512

    7230a4c9f7bb84f732fd45286e2f35bc24603f9f792f621cbe2aa9a40de0dfa7d808abc0be27c4c6b89cf6fc3d8dd37c6c2c161bc4ed82f69b6c6adbbcd21725

  • C:\KaVBTT\dobasys.exe

    Filesize

    2.6MB

    MD5

    cc5e152f0f5f01817152567ca4aa0ab1

    SHA1

    fe281e503c690586f03211f7e7d91e2de588cb74

    SHA256

    b54d01ac511d9152eed0ac1058718ee66581f02630e48d6bac444024e4a117f3

    SHA512

    7ed845f293894bfa2448caa9e2b322b7c52fac2d843060e6af8b591893afafc4779ac11a983f31386031ee9703ea966e445a600aadde61c5df964bbcbe61b38f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    5cc9099a558a119a47b7b12f44ce6fdd

    SHA1

    5cedf11e3f35b2c29728bbb4758e6227fbe2c0c0

    SHA256

    884d3805a5ec27f34620da156ea028d6d4c5c924db64a7fa80756006034e719e

    SHA512

    ab0a757b0a48a756fbc8035c352baf167c88bf91f000d017e75de3e42f426521ab69612bff6c46fbe11d71ce667aa8ac5713a389de8b734468e0758ded4e1962

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    9afc5581344aa26d936a1eee456154f9

    SHA1

    34ab0cc93c54c5999bb096caa47a5d3363e762e9

    SHA256

    2302af6a72f85f7a019981b9f8e332496d8654185446e3c5bfdcad790b7ecaff

    SHA512

    c8a1b0515271f84865d6d8e0c199a26d71b5f49d6e1238288ac7792355ed4203b2d512fd42af9a9553204ed150cf908d3238d430062937b5c11806d3a168bb9b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    7a99e336db79068816ea42b8062354a6

    SHA1

    03ed5b019e72964dea666383a5bd3e1906d0e806

    SHA256

    bddb8818ee87bd8c2169e66cafbd8926555c570270289a726e7f29ea11ff5e00

    SHA512

    6ae2c10e92c5740b3ff48d7f51acbc68dc272b1d2c598a4c82c4bac58693ac5056f1975eb2981adde118c09e489abb525e2fb7069a7348c1f8395b4863a0bf0b