Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:27

General

  • Target

    f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe

  • Size

    2.6MB

  • MD5

    f93c642af9f7a792ad4003e2dac40310

  • SHA1

    4367c57bede3f3f658630b1979a1cac5e4d4a1ce

  • SHA256

    f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ff

  • SHA512

    a4a33d8a281835e0fdcd8fed01b0a3397d3e217cb972b23d0902f4a0095ab061c73d7203c3dccda3832605cfbcc3a0ef7a6a91e59dca1891a8e961ee40b07177

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpmbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1512
    • C:\UserDotYX\devdobec.exe
      C:\UserDotYX\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint5X\bodxloc.exe

    Filesize

    2.6MB

    MD5

    3c57d65c03c0fad2a857a883ee67ffc6

    SHA1

    ecf424d17d54acd81639c58864096264e2711cae

    SHA256

    d3538bc7be796bb9d59cc378cb3e0340bf7cb814f48524e1222c5a002f690e5c

    SHA512

    4997b6e68ed78676587725273624fbc0aff6e7d4bbf964a07340c4866adc70c2a32e6fd29a259bcccb60cc93b0b4f80d092de8b0f953d8d343aadbb51ca18e52

  • C:\Mint5X\bodxloc.exe

    Filesize

    106KB

    MD5

    bd90b6926f8ff2d3bbba1a7c4afaad50

    SHA1

    f4b3c2095723c762caf470fbc288336d6061d1a0

    SHA256

    46db6e4659ea7313160d1e0dfca15fbe95c00a84a6b60d8bd78faf0671b5002c

    SHA512

    c2782b99d280602887e04272a11890a24af9962a05b381e76a4402404c483020e434ceeb07fb01287ff9ac1fc0b6e6d281fbf3dbce1277219bfa33c5f42116f2

  • C:\UserDotYX\devdobec.exe

    Filesize

    2.6MB

    MD5

    336d95096173c02300720281d64640e3

    SHA1

    9e70cb9ab25606aa5fcaaee6114f449eec88c06f

    SHA256

    7921f4d8c826874379eb118dfe2a15c0f594a1d9df994a49663cba7e5c3f9a43

    SHA512

    7daf43d65efb0635d02e369276878b2e0dece49a1b31f0ed3eaf996bde30db91608e8169e4c35a4d202f7364e63b2fc63e32e86f78510ac0d7ad38775aa56048

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    229a9aae67ed96bde7b376cbbbcc525e

    SHA1

    d3c7efed210f6949a1a97b563a30619609d0cef8

    SHA256

    d3fe96ce0f141df33a93d89e47d288956276db8ea9fdb10eecf92420327673b0

    SHA512

    df4232d9a76aabeab88590d07fc811acf277a7878069ce3fdeaebabc8c8260180f0e4af233606f6289173929e8ded83b1f06030db5c449e8be231930c6d6e8a6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    44a78171a94eba63e3ea131349b127ff

    SHA1

    bc7459f15eaa26f9064d70cdede9b18525cb26f8

    SHA256

    26d97b481a3cfeebde363d9227dc31e961240e35ae6f777ba744a3fb292c30d1

    SHA512

    bf44304a8eddc33b4f4950682d848c9936efc3483aa1d0d1814a0733e17106a41ced6619df64737e0614f76816352759a3fcfa1f4443c260578d78c9e5302099

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    934574242c25e2446a10cb1d3973e1f7

    SHA1

    696be70b5ec63477fb5b6813e7edb7e380255973

    SHA256

    2261dad52094e7b22e478df5c11b10c3f04ff61feddae9ec7a5884a2d85fa040

    SHA512

    ae581e8e86870e23d254b7f259e0bd59831eda2623bbf47349f07823f49acb60c8c33829d29931768d69fc3dfc0cb4e9340fbba94b23c6fa19d92736d868161d