Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
Resource
win10v2004-20241007-en
General
-
Target
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
-
Size
2.6MB
-
MD5
a8e06e00a02d3af625f54ccc0436a880
-
SHA1
21fa0fd5b7de07759501a7f153fe4057b4f715f6
-
SHA256
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6
-
SHA512
c2c3aaed448e48740ca44c010cba4ab450970528e01b12769e9777c99ecfb24d03e13691f8205a40feaf2ebe8a73e472c41871cb4c3c643f634244c3c02004c9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe -
Executes dropped EXE 2 IoCs
pid Process 592 sysadob.exe 1920 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe43\\abodsys.exe" d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6F\\boddevloc.exe" d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe 592 sysadob.exe 1920 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 784 wrote to memory of 592 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 31 PID 784 wrote to memory of 592 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 31 PID 784 wrote to memory of 592 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 31 PID 784 wrote to memory of 592 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 31 PID 784 wrote to memory of 1920 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 32 PID 784 wrote to memory of 1920 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 32 PID 784 wrote to memory of 1920 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 32 PID 784 wrote to memory of 1920 784 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:592
-
-
C:\Adobe43\abodsys.exeC:\Adobe43\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD548ca986a272f8904aa69e043b2dff8ba
SHA14c1876eb8bc80ee103056f1b5d43aa99cfaf8153
SHA256490657fe19bcec782eca3b0f3d0276003b8aeaeeff040437cca3596d2959ebb6
SHA51201a54fb11cb4979ca8524b634d341dab5929f0036e8a5ac82adbda25b7feac41a2f084e05b6d76bf00ed2d0c4745c1b10ed24aba1fd1d33c17a5839f43039c81
-
Filesize
2.6MB
MD5c81a498326cf222fac05a50654af96ed
SHA1303f6fa82a6857b35d8f5db1808ab64d72bd874f
SHA256ff2b6a0ebeeafbff01f700a497269dc81955129b52d078d25a41c97a4c9ac8c7
SHA512a14d5887db6f2a76ef277990bfd963015eedf46c48947c6f171d666b1c31635313b59d5fe027dbab2d7e34e06494738075fc2f105239fe1316fee85e776624fc
-
Filesize
2.6MB
MD5d905c34792a992e2221551884993acb8
SHA10e1689a89153b4a612b338921ef4549e0e5082dc
SHA256deda582c2ec7e0e78f5ba54c7851a8c18fb4761bb3faca17b793b7186635cd7b
SHA5126b0e87aad848ae93fde74314bc39aea20c4c11721974a28ddb0f7ba89c69fd15eaeb8487e1dbb9acd2c350c34ecc1ea5a219decb59ae8c7ead34b8665ad39715
-
Filesize
170B
MD5dfd612489f30f3df94c15521cf941330
SHA1bce50f377c19773946e2e378f54386ff9219ed42
SHA2564b18c22cfd972bcb75939e46a30053b5cb54a4dbb0702243faa7f908f05ded17
SHA512fd5bed2b3bb13757e20f62f21b4520345c9723831e9c9ee46a7825d8bc6e64e5692e8e4c87edfddd6c63f2913beb3192800cacbec64576645e8bba71010221e0
-
Filesize
202B
MD59eba27f3e790d71b578ecda74910881e
SHA130ebd3e51009f7ae91aa73606aacc3d2785b9759
SHA256d084c429a69ee9d76ba37e06454a35d9d4fb3b18443f5c1094ce6852851966de
SHA512750377c89d434509e7fa5ff1c344356f498b5d5c81dc9a8270ba7b6d572ca8cae0aa62d3f32f7db32f21f69abd9e97c9b335752bccf0a796687793ab6339cc78
-
Filesize
2.6MB
MD576fa0bcec6aaced2e0b8de99e1d852a3
SHA147e27668eefeb82bfb7356e5ace5c0ce9bfd0634
SHA2560fcdfcc56ee61e2c173af92756a714dd5aef943acea51dcfdaf7fd2c5dfa3ff5
SHA5122441e1c8c4ce4f30c77dceabf4850f03a5f91b3106a64cec5821f3826cca4ca5161cc06c671738fbd428e81d92fa6b4d1ce847d6bfee326c2b1fa204d90b0132