Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:34

General

  • Target

    d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe

  • Size

    2.6MB

  • MD5

    a8e06e00a02d3af625f54ccc0436a880

  • SHA1

    21fa0fd5b7de07759501a7f153fe4057b4f715f6

  • SHA256

    d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6

  • SHA512

    c2c3aaed448e48740ca44c010cba4ab450970528e01b12769e9777c99ecfb24d03e13691f8205a40feaf2ebe8a73e472c41871cb4c3c643f634244c3c02004c9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:592
    • C:\Adobe43\abodsys.exe
      C:\Adobe43\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe43\abodsys.exe

    Filesize

    2.6MB

    MD5

    48ca986a272f8904aa69e043b2dff8ba

    SHA1

    4c1876eb8bc80ee103056f1b5d43aa99cfaf8153

    SHA256

    490657fe19bcec782eca3b0f3d0276003b8aeaeeff040437cca3596d2959ebb6

    SHA512

    01a54fb11cb4979ca8524b634d341dab5929f0036e8a5ac82adbda25b7feac41a2f084e05b6d76bf00ed2d0c4745c1b10ed24aba1fd1d33c17a5839f43039c81

  • C:\KaVB6F\boddevloc.exe

    Filesize

    2.6MB

    MD5

    c81a498326cf222fac05a50654af96ed

    SHA1

    303f6fa82a6857b35d8f5db1808ab64d72bd874f

    SHA256

    ff2b6a0ebeeafbff01f700a497269dc81955129b52d078d25a41c97a4c9ac8c7

    SHA512

    a14d5887db6f2a76ef277990bfd963015eedf46c48947c6f171d666b1c31635313b59d5fe027dbab2d7e34e06494738075fc2f105239fe1316fee85e776624fc

  • C:\KaVB6F\boddevloc.exe

    Filesize

    2.6MB

    MD5

    d905c34792a992e2221551884993acb8

    SHA1

    0e1689a89153b4a612b338921ef4549e0e5082dc

    SHA256

    deda582c2ec7e0e78f5ba54c7851a8c18fb4761bb3faca17b793b7186635cd7b

    SHA512

    6b0e87aad848ae93fde74314bc39aea20c4c11721974a28ddb0f7ba89c69fd15eaeb8487e1dbb9acd2c350c34ecc1ea5a219decb59ae8c7ead34b8665ad39715

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    dfd612489f30f3df94c15521cf941330

    SHA1

    bce50f377c19773946e2e378f54386ff9219ed42

    SHA256

    4b18c22cfd972bcb75939e46a30053b5cb54a4dbb0702243faa7f908f05ded17

    SHA512

    fd5bed2b3bb13757e20f62f21b4520345c9723831e9c9ee46a7825d8bc6e64e5692e8e4c87edfddd6c63f2913beb3192800cacbec64576645e8bba71010221e0

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    9eba27f3e790d71b578ecda74910881e

    SHA1

    30ebd3e51009f7ae91aa73606aacc3d2785b9759

    SHA256

    d084c429a69ee9d76ba37e06454a35d9d4fb3b18443f5c1094ce6852851966de

    SHA512

    750377c89d434509e7fa5ff1c344356f498b5d5c81dc9a8270ba7b6d572ca8cae0aa62d3f32f7db32f21f69abd9e97c9b335752bccf0a796687793ab6339cc78

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    76fa0bcec6aaced2e0b8de99e1d852a3

    SHA1

    47e27668eefeb82bfb7356e5ace5c0ce9bfd0634

    SHA256

    0fcdfcc56ee61e2c173af92756a714dd5aef943acea51dcfdaf7fd2c5dfa3ff5

    SHA512

    2441e1c8c4ce4f30c77dceabf4850f03a5f91b3106a64cec5821f3826cca4ca5161cc06c671738fbd428e81d92fa6b4d1ce847d6bfee326c2b1fa204d90b0132