Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
-
Size
2.6MB
-
MD5
f93c642af9f7a792ad4003e2dac40310
-
SHA1
4367c57bede3f3f658630b1979a1cac5e4d4a1ce
-
SHA256
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ff
-
SHA512
a4a33d8a281835e0fdcd8fed01b0a3397d3e217cb972b23d0902f4a0095ab061c73d7203c3dccda3832605cfbcc3a0ef7a6a91e59dca1891a8e961ee40b07177
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpmbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe -
Executes dropped EXE 2 IoCs
pid Process 1512 sysadob.exe 2284 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5X\\bodxloc.exe" f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYX\\devdobec.exe" f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe 1512 sysadob.exe 2284 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1512 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 30 PID 2556 wrote to memory of 1512 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 30 PID 2556 wrote to memory of 1512 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 30 PID 2556 wrote to memory of 1512 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 30 PID 2556 wrote to memory of 2284 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 31 PID 2556 wrote to memory of 2284 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 31 PID 2556 wrote to memory of 2284 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 31 PID 2556 wrote to memory of 2284 2556 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
-
C:\UserDotYX\devdobec.exeC:\UserDotYX\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53c57d65c03c0fad2a857a883ee67ffc6
SHA1ecf424d17d54acd81639c58864096264e2711cae
SHA256d3538bc7be796bb9d59cc378cb3e0340bf7cb814f48524e1222c5a002f690e5c
SHA5124997b6e68ed78676587725273624fbc0aff6e7d4bbf964a07340c4866adc70c2a32e6fd29a259bcccb60cc93b0b4f80d092de8b0f953d8d343aadbb51ca18e52
-
Filesize
106KB
MD5bd90b6926f8ff2d3bbba1a7c4afaad50
SHA1f4b3c2095723c762caf470fbc288336d6061d1a0
SHA25646db6e4659ea7313160d1e0dfca15fbe95c00a84a6b60d8bd78faf0671b5002c
SHA512c2782b99d280602887e04272a11890a24af9962a05b381e76a4402404c483020e434ceeb07fb01287ff9ac1fc0b6e6d281fbf3dbce1277219bfa33c5f42116f2
-
Filesize
2.6MB
MD5336d95096173c02300720281d64640e3
SHA19e70cb9ab25606aa5fcaaee6114f449eec88c06f
SHA2567921f4d8c826874379eb118dfe2a15c0f594a1d9df994a49663cba7e5c3f9a43
SHA5127daf43d65efb0635d02e369276878b2e0dece49a1b31f0ed3eaf996bde30db91608e8169e4c35a4d202f7364e63b2fc63e32e86f78510ac0d7ad38775aa56048
-
Filesize
171B
MD5229a9aae67ed96bde7b376cbbbcc525e
SHA1d3c7efed210f6949a1a97b563a30619609d0cef8
SHA256d3fe96ce0f141df33a93d89e47d288956276db8ea9fdb10eecf92420327673b0
SHA512df4232d9a76aabeab88590d07fc811acf277a7878069ce3fdeaebabc8c8260180f0e4af233606f6289173929e8ded83b1f06030db5c449e8be231930c6d6e8a6
-
Filesize
203B
MD544a78171a94eba63e3ea131349b127ff
SHA1bc7459f15eaa26f9064d70cdede9b18525cb26f8
SHA25626d97b481a3cfeebde363d9227dc31e961240e35ae6f777ba744a3fb292c30d1
SHA512bf44304a8eddc33b4f4950682d848c9936efc3483aa1d0d1814a0733e17106a41ced6619df64737e0614f76816352759a3fcfa1f4443c260578d78c9e5302099
-
Filesize
2.6MB
MD5934574242c25e2446a10cb1d3973e1f7
SHA1696be70b5ec63477fb5b6813e7edb7e380255973
SHA2562261dad52094e7b22e478df5c11b10c3f04ff61feddae9ec7a5884a2d85fa040
SHA512ae581e8e86870e23d254b7f259e0bd59831eda2623bbf47349f07823f49acb60c8c33829d29931768d69fc3dfc0cb4e9340fbba94b23c6fa19d92736d868161d