Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:55

General

  • Target

    ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe

  • Size

    2.6MB

  • MD5

    889d175a3c1a9155468b3343f7f3c690

  • SHA1

    7a634f4a8e2951f8aacb8896008452bfdb474cc5

  • SHA256

    ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922d

  • SHA512

    9060eaf5c7b1fa3bff8af3446e605f7a57123a45c3ea305254cabbfbdefec4fa8d4b71092794a6e7baed9d3423aed7d7e80fbdf70e3c6a316e12b15bb160ffc1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
    "C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2652
    • C:\UserDotJ7\abodloc.exe
      C:\UserDotJ7\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotJ7\abodloc.exe

    Filesize

    2.6MB

    MD5

    84c123c5c1f426596f371e0fe5408175

    SHA1

    e624080d124d4d2f5db994510517b81669fb0a34

    SHA256

    f6ff61cdb21901da355abb6283961d193ae9d5b7c063205af153b9970d1562ab

    SHA512

    b2300264eccdd53377ebe1a36b0dbac33eb320a8426085f578397e788bac1c7b8588f4d7f6a41a3cf7ad53d7f3c6c27bf60fe625f6b5887f4bd6e02d35b7f846

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    8dedd34b0e9f973299fe6ec0ecb8c0ae

    SHA1

    8df16512486f9264f7eb28d54ed8b1febaf7b8e3

    SHA256

    89ac524d1e0575e9b510b00d0ffeb39ac54615157c2c906aa0698cb871a154ad

    SHA512

    86115590a1e303f4de85757118ed07facf5e3d71eeff4a193cf494728e60493d710de3524621c8e18235ea916e7462809f8af2763a9d42d69f53215bfadb2335

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    f7a885dfb6b3c6671a557298ee563fba

    SHA1

    7a2865439f5f25e8ccbcebb94526daf9b2c9ec00

    SHA256

    f37f335973151a3b8bdefd927411012ac9c0674db19527c91b24028d2dc38fc6

    SHA512

    309f285e719f64233983879f9a8712e059f16b779ec1269c5f8368a509b87a47f52ba1085bf4492577f58d9e592938836012c30692f6d981e9275fe1f1b6d71f

  • C:\VidD1\bodxec.exe

    Filesize

    12KB

    MD5

    5ce46de9d1c8ab23eeb8a98bb0b2232e

    SHA1

    eb2b026ffaf5a7802065fa5971c5c4495fa6763a

    SHA256

    0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

    SHA512

    173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

  • C:\VidD1\bodxec.exe

    Filesize

    2.6MB

    MD5

    e0d078a205e761b605100008293c62da

    SHA1

    26cab603ad5abff45d58814cd63dbc3425ecf697

    SHA256

    3c6c3ef861ed245eb21620229531a2fa1a58abf96ca9535c7f847356d92df01a

    SHA512

    d590822d0b36add970c91271fa4aba3dc45cb0fa131694ec30f7bff0482b24fb8f3b6c6d574114cbf37fd3706d31cce926843988ec628e454be59dbba906291f

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    be8245396e2e462caa7cbc944cb3b4fa

    SHA1

    deb603e48609d5473289fbee85c331b7029538ef

    SHA256

    914cdc333d5e8625d9055f885fc7c5d19cbae8bfcc163fe481baa4ce42feb3b3

    SHA512

    0797068b16e0c54e6f124f335396bf23e5b3acab494238adb461513aa60687d5d1ce69f9225b7adc9e486924afbd0ee29f6f0addeddd1390721a54f8a606bac5