Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 16:15

General

  • Target

    0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe

  • Size

    2.6MB

  • MD5

    9267f952a13dabe9573df2e86e259ae0

  • SHA1

    4c840b73b84a96f569969d55892e05d97b868884

  • SHA256

    0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531

  • SHA512

    8bb9393e1885c86ac39556188c7be4bac26d9395124556d83cb37b1d0a9b1d216c2dd9c593ac5f4de7ea18d52615b894319fe1a0ba611337152c06929b10da2c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2072
    • C:\FilesOI\xbodsys.exe
      C:\FilesOI\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesOI\xbodsys.exe

    Filesize

    2.6MB

    MD5

    15d3e2b8479a4b2204c93eaca7693b1c

    SHA1

    fe4bdfecd553ef5859511c53025c23565f06e2b2

    SHA256

    23bbbf55043b88e62e67b33529a98d02d2c37720afd0016620a6a019f530c617

    SHA512

    2652ea62d8e05f497fd7e7118d7e14e70347077ffcfb06b1f635780a8ed6528f061c9d076425f195f4954f659f869ad19effee2a3434ca9ddf8191ac03c798bd

  • C:\LabZXO\optixloc.exe

    Filesize

    2.6MB

    MD5

    addda24bb94def4c150db402d782fc1f

    SHA1

    e2c9c84bd4e135fa41d40da71df3ff71b3d0dc29

    SHA256

    0c846cc6afe4a31190838308f0ccf5d1cca28b296e666352b7b3845ea5eaa2e7

    SHA512

    1bef4c5dfe6781d2c4e4bbe676029f59cb9f92945682c2c7ebe7fe9711d8777e0637578b45145b7714d7b4017fc48dd1c7bb4cc15b40a0f51dde071c4391e4f5

  • C:\LabZXO\optixloc.exe

    Filesize

    924KB

    MD5

    fcf1247a72bca6815285bdeec251fbd5

    SHA1

    79c2cde9260dc84599e00e5749c1f8a2bc989328

    SHA256

    690793e52ef0ad91c6f823934c769e65a968040c3636c8bf3607f8c7050f611b

    SHA512

    61b6b353e76c76d61f78dd2c2f6f2334f1ae700842a27b406ae962c6cbb3f45cdff9e8fb56a46e08774bf13cdf0234d32bd5321c939fc0cacfe1931202c5982f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    7de7daa834d985338fd5363e3909a780

    SHA1

    2ae121abd7b09b761b269821ef8a2c8670ff2d36

    SHA256

    0493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246

    SHA512

    f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    4264b2019848f93783ef5182b9e658fe

    SHA1

    26cdd31c24a2d0274870434ff39a8de2ed2f531a

    SHA256

    4938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288

    SHA512

    1d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    16101c2e43ebb7cd150fd4daf4b6b1ed

    SHA1

    7f24a846ef619428d1b175bc3eb3f030d874a108

    SHA256

    c51134ec7166f44cdbbe8b82500dc6282c20d18353f1f9c55c23773c2d76b6fb

    SHA512

    7774e6679fe59f0874c8342c1fbdfa68e24f75cbf1152ed5d981a4b400a77df6482fcde2aca582c7063b78d7e981fcfb49bfbde188e5f33d4bac8b278602d19e