Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
Resource
win10v2004-20241007-en
General
-
Target
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
-
Size
2.6MB
-
MD5
fd18cadbfb0517b0f4a395bf67ad2360
-
SHA1
cc71a8e26221592b4a38787e73d9f42335698140
-
SHA256
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188d
-
SHA512
745804941f7347e58833e592d7216ac02add79993d5b40f37652284802c849914cd32114f5add21670a5a4db1215ee5122ed0e0680e027c248d7fd8bad9969f6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2536 ecxbod.exe 2628 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe29\\xdobsys.exe" b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2T\\dobxloc.exe" b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe 2536 ecxbod.exe 2628 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2536 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 30 PID 2820 wrote to memory of 2536 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 30 PID 2820 wrote to memory of 2536 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 30 PID 2820 wrote to memory of 2536 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 30 PID 2820 wrote to memory of 2628 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 31 PID 2820 wrote to memory of 2628 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 31 PID 2820 wrote to memory of 2628 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 31 PID 2820 wrote to memory of 2628 2820 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
C:\Adobe29\xdobsys.exeC:\Adobe29\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD517a4bccb31458c4c55d8e9d47fa9841a
SHA13d786f1185ba0db907a6077cc3d380d807a7062b
SHA256b22ee1b5c17161f22db93422f9a859167300e1135b362b84659338ab949f9c7b
SHA512df6c181088d344aa78bf09981c646fd03e71e8f8beebb46a98500b6ce4d1140bb574f672b3c4ec7611ed69b704f3eed67878ad2c8f6d14b45c368e10936e600c
-
Filesize
2.6MB
MD5f523f6ff2e3a75494cf7c70463588338
SHA1219ad8d181e73cc0b603034c4efd89f92b5a0f3a
SHA25617d462b5fd62be4294732d62bde1c57029f6fb34254f7d8cb1e68b3c4b37347b
SHA5126372e173f3236d9e2731d62c22e19f9a2dbcc0ef7d99dd607a271bdd8de43f2169a03e1a091d8fa9147b707a747d57882d3afde1ba078746ac28d161eb3c21c2
-
Filesize
2.6MB
MD5832f30eb3fff35ecfcec2c491c38d718
SHA17b6b3938b6411347b635f272f988d94d6d45e3d4
SHA25679c04feb3a810cd7a2d2f14207431137551e9d0c043add87752b8530a491aed0
SHA512fddaff42aea7e5a52e3d178f7171d86128373fbf6004786807e4b6d9adba7b5fc237708aed214520bfcae5053e7f9ddad4dfe131edea3eb6278b45419c2a7eb2
-
Filesize
167B
MD50ea52067c91c66d4052df0363ac485d5
SHA13a25668dc4e194a99b127c7b67e68e4f7be5ed0e
SHA256dd8cedbeec26450ffb13d4e08eeb764b13fbf71de35925ad088d95f580f4a9ad
SHA512c212b255c783d2280c1e122a287b589d258d46a643103e180a0376115b225fa0a95290db503a455b37197b29b0069aef236ea6ca01218fe6a180a8130b019b3f
-
Filesize
199B
MD566c4ac737990b01ad310a4d8a3226613
SHA1fd6b6b57c38ebfd317b928ee3c85f2b8a0d9306b
SHA2568e9e3e748952fe5114d46e5b9c05dd1eebe0c685cd14f29b9b066e783da1315e
SHA512734ac924540b771d13a1d7e93348e1f09ea8f30997341fe3227ead43bc78e696b3b997818de10b7bb1ea3319916bb6fd306988f998f55f582687a561eca15ae8
-
Filesize
2.6MB
MD5e01676e432791035d903771e450e4991
SHA1bda419e272bc7fa2ab6b4bc807c3f3ccf782d319
SHA2569585a1c170dbbc6fd1b3abe688edc5191f1e27fcb3292fee19c4cf88179f4b4a
SHA51258b21ae9727e4d60ee49dafe9e46c80550aee1060704120b7109830489a17a9c798c704abd7a3b2d8033a583e30624399c596a18fecdc114cbde5c1bfecfdf20