Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Resource
win10v2004-20241007-en
General
-
Target
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
-
Size
2.6MB
-
MD5
7bc9e1cb0a174fea59f5f782355b9ae8
-
SHA1
ff5fff09a26ae794d698938f3dd2d89625d5e990
-
SHA256
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420
-
SHA512
e97cee50cfd69556d8cb57f7f3527f365920858f42fbcb862ad7167bc49a1c04fb459cb3ae2aa3d58fc1fa5d12842c3c8a884b28eb717a8a85f15681ed3d8997
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe -
Executes dropped EXE 2 IoCs
pid Process 2224 sysdevbod.exe 2904 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTT\\dobasys.exe" 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL1\\adobec.exe" 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe 2224 sysdevbod.exe 2904 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2224 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 30 PID 2936 wrote to memory of 2224 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 30 PID 2936 wrote to memory of 2224 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 30 PID 2936 wrote to memory of 2224 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 30 PID 2936 wrote to memory of 2904 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 31 PID 2936 wrote to memory of 2904 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 31 PID 2936 wrote to memory of 2904 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 31 PID 2936 wrote to memory of 2904 2936 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
-
C:\FilesL1\adobec.exeC:\FilesL1\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ff4cca42378d37433e11c82c6b8f5ccd
SHA1cb834e545d3aab1e05c842f6ea212c6853dd2bfe
SHA2566c5f86f083f8c604c4521d1a8e51e5ac0974e4a23c269f7c4ea3252178414c57
SHA512ecf522876e3c73ec83802a64fed806a5e3e68a1a8134faa5b47557e897406510a558395e10abccb8a42dfe76a62bd0e90de13aded5b264e99ff3b63010618229
-
Filesize
2.6MB
MD5d48c87fcc9b7fe3421c0cf033a11a35f
SHA19c5ad489cd10c7982bfc8d4f37bc9d65c365fdab
SHA256863db50f2dd43eee6faf0e16e03583ae20475f975c0228ad968132ded7710c4a
SHA5127230a4c9f7bb84f732fd45286e2f35bc24603f9f792f621cbe2aa9a40de0dfa7d808abc0be27c4c6b89cf6fc3d8dd37c6c2c161bc4ed82f69b6c6adbbcd21725
-
Filesize
2.6MB
MD5cc5e152f0f5f01817152567ca4aa0ab1
SHA1fe281e503c690586f03211f7e7d91e2de588cb74
SHA256b54d01ac511d9152eed0ac1058718ee66581f02630e48d6bac444024e4a117f3
SHA5127ed845f293894bfa2448caa9e2b322b7c52fac2d843060e6af8b591893afafc4779ac11a983f31386031ee9703ea966e445a600aadde61c5df964bbcbe61b38f
-
Filesize
169B
MD55cc9099a558a119a47b7b12f44ce6fdd
SHA15cedf11e3f35b2c29728bbb4758e6227fbe2c0c0
SHA256884d3805a5ec27f34620da156ea028d6d4c5c924db64a7fa80756006034e719e
SHA512ab0a757b0a48a756fbc8035c352baf167c88bf91f000d017e75de3e42f426521ab69612bff6c46fbe11d71ce667aa8ac5713a389de8b734468e0758ded4e1962
-
Filesize
201B
MD59afc5581344aa26d936a1eee456154f9
SHA134ab0cc93c54c5999bb096caa47a5d3363e762e9
SHA2562302af6a72f85f7a019981b9f8e332496d8654185446e3c5bfdcad790b7ecaff
SHA512c8a1b0515271f84865d6d8e0c199a26d71b5f49d6e1238288ac7792355ed4203b2d512fd42af9a9553204ed150cf908d3238d430062937b5c11806d3a168bb9b
-
Filesize
2.6MB
MD57a99e336db79068816ea42b8062354a6
SHA103ed5b019e72964dea666383a5bd3e1906d0e806
SHA256bddb8818ee87bd8c2169e66cafbd8926555c570270289a726e7f29ea11ff5e00
SHA5126ae2c10e92c5740b3ff48d7f51acbc68dc272b1d2c598a4c82c4bac58693ac5056f1975eb2981adde118c09e489abb525e2fb7069a7348c1f8395b4863a0bf0b