Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
Resource
win10v2004-20241007-en
General
-
Target
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
-
Size
2.6MB
-
MD5
889d175a3c1a9155468b3343f7f3c690
-
SHA1
7a634f4a8e2951f8aacb8896008452bfdb474cc5
-
SHA256
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922d
-
SHA512
9060eaf5c7b1fa3bff8af3446e605f7a57123a45c3ea305254cabbfbdefec4fa8d4b71092794a6e7baed9d3423aed7d7e80fbdf70e3c6a316e12b15bb160ffc1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2652 locdevopti.exe 2716 abodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ7\\abodloc.exe" ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD1\\bodxec.exe" ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe 2652 locdevopti.exe 2716 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2652 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 30 PID 2084 wrote to memory of 2652 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 30 PID 2084 wrote to memory of 2652 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 30 PID 2084 wrote to memory of 2652 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 30 PID 2084 wrote to memory of 2716 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 31 PID 2084 wrote to memory of 2716 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 31 PID 2084 wrote to memory of 2716 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 31 PID 2084 wrote to memory of 2716 2084 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
-
C:\UserDotJ7\abodloc.exeC:\UserDotJ7\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD584c123c5c1f426596f371e0fe5408175
SHA1e624080d124d4d2f5db994510517b81669fb0a34
SHA256f6ff61cdb21901da355abb6283961d193ae9d5b7c063205af153b9970d1562ab
SHA512b2300264eccdd53377ebe1a36b0dbac33eb320a8426085f578397e788bac1c7b8588f4d7f6a41a3cf7ad53d7f3c6c27bf60fe625f6b5887f4bd6e02d35b7f846
-
Filesize
171B
MD58dedd34b0e9f973299fe6ec0ecb8c0ae
SHA18df16512486f9264f7eb28d54ed8b1febaf7b8e3
SHA25689ac524d1e0575e9b510b00d0ffeb39ac54615157c2c906aa0698cb871a154ad
SHA51286115590a1e303f4de85757118ed07facf5e3d71eeff4a193cf494728e60493d710de3524621c8e18235ea916e7462809f8af2763a9d42d69f53215bfadb2335
-
Filesize
203B
MD5f7a885dfb6b3c6671a557298ee563fba
SHA17a2865439f5f25e8ccbcebb94526daf9b2c9ec00
SHA256f37f335973151a3b8bdefd927411012ac9c0674db19527c91b24028d2dc38fc6
SHA512309f285e719f64233983879f9a8712e059f16b779ec1269c5f8368a509b87a47f52ba1085bf4492577f58d9e592938836012c30692f6d981e9275fe1f1b6d71f
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD5e0d078a205e761b605100008293c62da
SHA126cab603ad5abff45d58814cd63dbc3425ecf697
SHA2563c6c3ef861ed245eb21620229531a2fa1a58abf96ca9535c7f847356d92df01a
SHA512d590822d0b36add970c91271fa4aba3dc45cb0fa131694ec30f7bff0482b24fb8f3b6c6d574114cbf37fd3706d31cce926843988ec628e454be59dbba906291f
-
Filesize
2.6MB
MD5be8245396e2e462caa7cbc944cb3b4fa
SHA1deb603e48609d5473289fbee85c331b7029538ef
SHA256914cdc333d5e8625d9055f885fc7c5d19cbae8bfcc163fe481baa4ce42feb3b3
SHA5120797068b16e0c54e6f124f335396bf23e5b3acab494238adb461513aa60687d5d1ce69f9225b7adc9e486924afbd0ee29f6f0addeddd1390721a54f8a606bac5