Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
Resource
win10v2004-20241007-en
General
-
Target
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
-
Size
2.6MB
-
MD5
5b845a80bef42554df3ea079f48ce7d0
-
SHA1
f53ffb3446bb3208ee2bda3fb8bc87a8e8a3b09f
-
SHA256
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562
-
SHA512
362cb12a11bb66e6c3c1116b1be75f6de0795986eeac7bf39a1d38cb86bc6780cf5debb2187b90f101965caa56f0615a649c7b5317bb4687dfe04d0f1cf1546a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe -
Executes dropped EXE 2 IoCs
pid Process 1980 sysxdob.exe 1888 xdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2A\\xdobloc.exe" b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY1\\optixloc.exe" b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe 1980 sysxdob.exe 1888 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1980 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 30 PID 2056 wrote to memory of 1980 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 30 PID 2056 wrote to memory of 1980 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 30 PID 2056 wrote to memory of 1980 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 30 PID 2056 wrote to memory of 1888 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 31 PID 2056 wrote to memory of 1888 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 31 PID 2056 wrote to memory of 1888 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 31 PID 2056 wrote to memory of 1888 2056 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
-
C:\Adobe2A\xdobloc.exeC:\Adobe2A\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD590da37076a4a7e67684f0cb9afa651c8
SHA123d69766ec778249845167e1bd4cae1b66d3cb2f
SHA25639955dff81db3c1e8eb544385aa65a813de85b9dca086a1b534d55245f567554
SHA51209d1627dada062795713916d613656a23465a3e3f6f811da78982169b7f9f85fb031a854369160cbedd665e27c9ae5cecdfae7e08736c4fcf64d0b0926647b82
-
Filesize
2.6MB
MD53fd2d6dfd6b723b967a5164086c3c0b2
SHA1e0b760698a37c27815e136594152169e6b3123ad
SHA256b74196810cbfda25952c2b2d3b80afc4fe616e2cfd2ab0da12d0081ef82c3cc9
SHA512c5f3c718deedaf04daa23ea111a6c3d517750a9388492ffb4ad2f755e72b45daced448200e29f51d3cad23c43b76ee9aa86c0baad1920e1ef1066d720065bf68
-
Filesize
2.6MB
MD513dcba811ae49ee41e4d9247b03882fa
SHA15c7f3378ccdf9e957a3df2c360be9662b9d89818
SHA256d44513a8db5b8d32b18a839668e474d15c2492c811ec6bdb42be97a619a24c55
SHA512ea7f1b59addc75965697ff04313b7acad9f72a06c6bb7aaf1bb0a48b3aef7e32739a851cb037f37952783e4c810d9cb9fd0562d3007fe83d8fbc8c98ef80bd97
-
Filesize
169B
MD5aa6eb03c99aaf51740ec84051f8d7568
SHA1a89fa086d4dfabb803c7b3cd823fa97cd4b820a3
SHA2568b1f8e2ae3d90c0cbf4f6746057c57fe20a9a0a80bdcbabf639f275361d614f8
SHA5122e6740f03f00c95f5f2e41930bffacdb9cdd4080ae879d512d4846d81609c701c0ce70fbbfb58964617c371473f7fe4c65f886419e02dd6527b53e1d806318a6
-
Filesize
201B
MD51b7d1b2b45852a76b1ab70169d8a761d
SHA186fd4ec3a7f4f4c6cd69e2da82ec7d67f9c399c1
SHA256714dc6891fda6b66ae8a678125175a79be963debd884ee9ce6362d2eab3a5c7f
SHA512c9d23822230ca7ac709c8c6e6c811490d5e65a3577023d950befb74e4038e2d9265da5daa2cbcd5e4e146641809aec310d42ec8b2a17a2a89fdf9f5ae0cdcf25
-
Filesize
2.6MB
MD5e90c83b216c3e3551ff9a3a69e5c6e59
SHA19aa6b65bd8c7002bbfb737938bb757a035c12c70
SHA256f14b7fb4b24ff3717e49bc0bc23c0f0f34ff046b0d794c7cdc2f4018da27ab08
SHA512e71a79444aaaeb442091e8a809c8ce43c13cee22fb5f1695980d4951e9c2ca8b7e41878aaa420f06c1a01ec8cdd0719100839e25abbf37e3f4fdccabd0e0ca36