Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:47

General

  • Target

    b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe

  • Size

    2.6MB

  • MD5

    5b845a80bef42554df3ea079f48ce7d0

  • SHA1

    f53ffb3446bb3208ee2bda3fb8bc87a8e8a3b09f

  • SHA256

    b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562

  • SHA512

    362cb12a11bb66e6c3c1116b1be75f6de0795986eeac7bf39a1d38cb86bc6780cf5debb2187b90f101965caa56f0615a649c7b5317bb4687dfe04d0f1cf1546a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
    "C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1980
    • C:\Adobe2A\xdobloc.exe
      C:\Adobe2A\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe2A\xdobloc.exe

    Filesize

    2.6MB

    MD5

    90da37076a4a7e67684f0cb9afa651c8

    SHA1

    23d69766ec778249845167e1bd4cae1b66d3cb2f

    SHA256

    39955dff81db3c1e8eb544385aa65a813de85b9dca086a1b534d55245f567554

    SHA512

    09d1627dada062795713916d613656a23465a3e3f6f811da78982169b7f9f85fb031a854369160cbedd665e27c9ae5cecdfae7e08736c4fcf64d0b0926647b82

  • C:\LabZY1\optixloc.exe

    Filesize

    2.6MB

    MD5

    3fd2d6dfd6b723b967a5164086c3c0b2

    SHA1

    e0b760698a37c27815e136594152169e6b3123ad

    SHA256

    b74196810cbfda25952c2b2d3b80afc4fe616e2cfd2ab0da12d0081ef82c3cc9

    SHA512

    c5f3c718deedaf04daa23ea111a6c3d517750a9388492ffb4ad2f755e72b45daced448200e29f51d3cad23c43b76ee9aa86c0baad1920e1ef1066d720065bf68

  • C:\LabZY1\optixloc.exe

    Filesize

    2.6MB

    MD5

    13dcba811ae49ee41e4d9247b03882fa

    SHA1

    5c7f3378ccdf9e957a3df2c360be9662b9d89818

    SHA256

    d44513a8db5b8d32b18a839668e474d15c2492c811ec6bdb42be97a619a24c55

    SHA512

    ea7f1b59addc75965697ff04313b7acad9f72a06c6bb7aaf1bb0a48b3aef7e32739a851cb037f37952783e4c810d9cb9fd0562d3007fe83d8fbc8c98ef80bd97

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    aa6eb03c99aaf51740ec84051f8d7568

    SHA1

    a89fa086d4dfabb803c7b3cd823fa97cd4b820a3

    SHA256

    8b1f8e2ae3d90c0cbf4f6746057c57fe20a9a0a80bdcbabf639f275361d614f8

    SHA512

    2e6740f03f00c95f5f2e41930bffacdb9cdd4080ae879d512d4846d81609c701c0ce70fbbfb58964617c371473f7fe4c65f886419e02dd6527b53e1d806318a6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    1b7d1b2b45852a76b1ab70169d8a761d

    SHA1

    86fd4ec3a7f4f4c6cd69e2da82ec7d67f9c399c1

    SHA256

    714dc6891fda6b66ae8a678125175a79be963debd884ee9ce6362d2eab3a5c7f

    SHA512

    c9d23822230ca7ac709c8c6e6c811490d5e65a3577023d950befb74e4038e2d9265da5daa2cbcd5e4e146641809aec310d42ec8b2a17a2a89fdf9f5ae0cdcf25

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    e90c83b216c3e3551ff9a3a69e5c6e59

    SHA1

    9aa6b65bd8c7002bbfb737938bb757a035c12c70

    SHA256

    f14b7fb4b24ff3717e49bc0bc23c0f0f34ff046b0d794c7cdc2f4018da27ab08

    SHA512

    e71a79444aaaeb442091e8a809c8ce43c13cee22fb5f1695980d4951e9c2ca8b7e41878aaa420f06c1a01ec8cdd0719100839e25abbf37e3f4fdccabd0e0ca36