Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 22:02

General

  • Target

    b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe

  • Size

    2.6MB

  • MD5

    fd18cadbfb0517b0f4a395bf67ad2360

  • SHA1

    cc71a8e26221592b4a38787e73d9f42335698140

  • SHA256

    b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188d

  • SHA512

    745804941f7347e58833e592d7216ac02add79993d5b40f37652284802c849914cd32114f5add21670a5a4db1215ee5122ed0e0680e027c248d7fd8bad9969f6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
    "C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2536
    • C:\Adobe29\xdobsys.exe
      C:\Adobe29\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe29\xdobsys.exe

    Filesize

    2.6MB

    MD5

    17a4bccb31458c4c55d8e9d47fa9841a

    SHA1

    3d786f1185ba0db907a6077cc3d380d807a7062b

    SHA256

    b22ee1b5c17161f22db93422f9a859167300e1135b362b84659338ab949f9c7b

    SHA512

    df6c181088d344aa78bf09981c646fd03e71e8f8beebb46a98500b6ce4d1140bb574f672b3c4ec7611ed69b704f3eed67878ad2c8f6d14b45c368e10936e600c

  • C:\Mint2T\dobxloc.exe

    Filesize

    2.6MB

    MD5

    f523f6ff2e3a75494cf7c70463588338

    SHA1

    219ad8d181e73cc0b603034c4efd89f92b5a0f3a

    SHA256

    17d462b5fd62be4294732d62bde1c57029f6fb34254f7d8cb1e68b3c4b37347b

    SHA512

    6372e173f3236d9e2731d62c22e19f9a2dbcc0ef7d99dd607a271bdd8de43f2169a03e1a091d8fa9147b707a747d57882d3afde1ba078746ac28d161eb3c21c2

  • C:\Mint2T\dobxloc.exe

    Filesize

    2.6MB

    MD5

    832f30eb3fff35ecfcec2c491c38d718

    SHA1

    7b6b3938b6411347b635f272f988d94d6d45e3d4

    SHA256

    79c04feb3a810cd7a2d2f14207431137551e9d0c043add87752b8530a491aed0

    SHA512

    fddaff42aea7e5a52e3d178f7171d86128373fbf6004786807e4b6d9adba7b5fc237708aed214520bfcae5053e7f9ddad4dfe131edea3eb6278b45419c2a7eb2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    0ea52067c91c66d4052df0363ac485d5

    SHA1

    3a25668dc4e194a99b127c7b67e68e4f7be5ed0e

    SHA256

    dd8cedbeec26450ffb13d4e08eeb764b13fbf71de35925ad088d95f580f4a9ad

    SHA512

    c212b255c783d2280c1e122a287b589d258d46a643103e180a0376115b225fa0a95290db503a455b37197b29b0069aef236ea6ca01218fe6a180a8130b019b3f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    66c4ac737990b01ad310a4d8a3226613

    SHA1

    fd6b6b57c38ebfd317b928ee3c85f2b8a0d9306b

    SHA256

    8e9e3e748952fe5114d46e5b9c05dd1eebe0c685cd14f29b9b066e783da1315e

    SHA512

    734ac924540b771d13a1d7e93348e1f09ea8f30997341fe3227ead43bc78e696b3b997818de10b7bb1ea3319916bb6fd306988f998f55f582687a561eca15ae8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    e01676e432791035d903771e450e4991

    SHA1

    bda419e272bc7fa2ab6b4bc807c3f3ccf782d319

    SHA256

    9585a1c170dbbc6fd1b3abe688edc5191f1e27fcb3292fee19c4cf88179f4b4a

    SHA512

    58b21ae9727e4d60ee49dafe9e46c80550aee1060704120b7109830489a17a9c798c704abd7a3b2d8033a583e30624399c596a18fecdc114cbde5c1bfecfdf20