Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
Resource
win10v2004-20241007-en
General
-
Target
0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
-
Size
2.6MB
-
MD5
9267f952a13dabe9573df2e86e259ae0
-
SHA1
4c840b73b84a96f569969d55892e05d97b868884
-
SHA256
0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531
-
SHA512
8bb9393e1885c86ac39556188c7be4bac26d9395124556d83cb37b1d0a9b1d216c2dd9c593ac5f4de7ea18d52615b894319fe1a0ba611337152c06929b10da2c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe -
Executes dropped EXE 2 IoCs
pid Process 2072 ecadob.exe 2188 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXO\\optixloc.exe" 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\xbodsys.exe" 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe 2072 ecadob.exe 2188 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2072 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 30 PID 2236 wrote to memory of 2072 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 30 PID 2236 wrote to memory of 2072 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 30 PID 2236 wrote to memory of 2072 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 30 PID 2236 wrote to memory of 2188 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 31 PID 2236 wrote to memory of 2188 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 31 PID 2236 wrote to memory of 2188 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 31 PID 2236 wrote to memory of 2188 2236 0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe"C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\FilesOI\xbodsys.exeC:\FilesOI\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD515d3e2b8479a4b2204c93eaca7693b1c
SHA1fe4bdfecd553ef5859511c53025c23565f06e2b2
SHA25623bbbf55043b88e62e67b33529a98d02d2c37720afd0016620a6a019f530c617
SHA5122652ea62d8e05f497fd7e7118d7e14e70347077ffcfb06b1f635780a8ed6528f061c9d076425f195f4954f659f869ad19effee2a3434ca9ddf8191ac03c798bd
-
Filesize
2.6MB
MD5addda24bb94def4c150db402d782fc1f
SHA1e2c9c84bd4e135fa41d40da71df3ff71b3d0dc29
SHA2560c846cc6afe4a31190838308f0ccf5d1cca28b296e666352b7b3845ea5eaa2e7
SHA5121bef4c5dfe6781d2c4e4bbe676029f59cb9f92945682c2c7ebe7fe9711d8777e0637578b45145b7714d7b4017fc48dd1c7bb4cc15b40a0f51dde071c4391e4f5
-
Filesize
924KB
MD5fcf1247a72bca6815285bdeec251fbd5
SHA179c2cde9260dc84599e00e5749c1f8a2bc989328
SHA256690793e52ef0ad91c6f823934c769e65a968040c3636c8bf3607f8c7050f611b
SHA51261b6b353e76c76d61f78dd2c2f6f2334f1ae700842a27b406ae962c6cbb3f45cdff9e8fb56a46e08774bf13cdf0234d32bd5321c939fc0cacfe1931202c5982f
-
Filesize
168B
MD57de7daa834d985338fd5363e3909a780
SHA12ae121abd7b09b761b269821ef8a2c8670ff2d36
SHA2560493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246
SHA512f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c
-
Filesize
200B
MD54264b2019848f93783ef5182b9e658fe
SHA126cdd31c24a2d0274870434ff39a8de2ed2f531a
SHA2564938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288
SHA5121d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96
-
Filesize
2.6MB
MD516101c2e43ebb7cd150fd4daf4b6b1ed
SHA17f24a846ef619428d1b175bc3eb3f030d874a108
SHA256c51134ec7166f44cdbbe8b82500dc6282c20d18353f1f9c55c23773c2d76b6fb
SHA5127774e6679fe59f0874c8342c1fbdfa68e24f75cbf1152ed5d981a4b400a77df6482fcde2aca582c7063b78d7e981fcfb49bfbde188e5f33d4bac8b278602d19e