Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
Resource
win10v2004-20241007-en
General
-
Target
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
-
Size
2.6MB
-
MD5
fd18cadbfb0517b0f4a395bf67ad2360
-
SHA1
cc71a8e26221592b4a38787e73d9f42335698140
-
SHA256
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188d
-
SHA512
745804941f7347e58833e592d7216ac02add79993d5b40f37652284802c849914cd32114f5add21670a5a4db1215ee5122ed0e0680e027c248d7fd8bad9969f6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe -
Executes dropped EXE 2 IoCs
pid Process 3964 sysxopti.exe 1020 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO8\\xbodec.exe" b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\dobasys.exe" b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe 3964 sysxopti.exe 3964 sysxopti.exe 1020 xbodec.exe 1020 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3584 wrote to memory of 3964 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 89 PID 3584 wrote to memory of 3964 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 89 PID 3584 wrote to memory of 3964 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 89 PID 3584 wrote to memory of 1020 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 90 PID 3584 wrote to memory of 1020 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 90 PID 3584 wrote to memory of 1020 3584 b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
-
C:\UserDotO8\xbodec.exeC:\UserDotO8\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD52a64b387868e30a6292f0c2a2a4a74b7
SHA1252fee464288b734d72c4a2b6515772743fa61a0
SHA2563d81c90a906a61d76a0ed9ab568f007311e3b3a99c12eb7a7a0d129f2475771a
SHA512088ef95bf234f75155aeff8c66f9a104f325d2844158fd6babaf48362cdafcf68757a21273f6288968904b36002b4e2298c30870299147c7f810c07e44e73017
-
Filesize
2.6MB
MD5a35768fd7c7c35b50defa22705ec9d42
SHA143a08152a8dc053ac5261d39b78c3c2d133a5e0e
SHA2568b5648905c21e41f7c4718797e151ca112dd486313862c1cfc2ca0d0db45bb38
SHA512420bc657b3ce4ae52f8718b65dcf813fbd8e366be20ca5b8082da68d4aebed9c2437d09ce1d73d31d058dd5853bbaf72b3bb43ee68bf4b81c8f8471d6e281493
-
Filesize
2.6MB
MD54b69a65600cac42419597a39d60dde99
SHA1c3c90a280228bfd7c3815dc3f937db26d4c6aa51
SHA256ba6a05dd111f209fb641e9fb73370ccdc14ebebdafb3053c85ea9c56bf8f04d5
SHA5127ffac1a918f5acc6c5aaf9a6862bca0845f363350b8db4d7c5c7a96f03da03c67c32f0704c6a379e0da44a02b67dfa4a49df01bc5794528d096a15b07f2edc9e
-
Filesize
203B
MD502a1af7e8a1ed28ac63931de9ebaacf4
SHA189b87080755c05512e4df5e1e33e28e9a1fb7fa2
SHA25693fd88475ef600c669713a227d5b74ffb5545a349dc0992571103505cb841e85
SHA512272ea6d487c4d010e6211a0582542f627e02a00b7a5ceb1f1b9ef5fa194a9e84d8a6fd2faa4e3d97f90628c64e95444a58059cd4f151053eb621f34c03958ce6
-
Filesize
171B
MD5f7a443b9087255cf48961db3b22163da
SHA16228152da2e361d8374b8d564f16b9e12cdc1eb7
SHA2560d50314abae7aeeca7042db1bda904c0de5adfa2954326c6abaf0159bfb9ea70
SHA512bd83f609df20b3053bce18c651f18046ac1b111fbe6ea2a5c442f64f0b5b0748d1a2c85954ed11c00fb2b6ff3561fb976e5d945dcfdd8034965454026ee777d4
-
Filesize
2.6MB
MD5f626c3615207ade87de7a323c57a7b26
SHA1bac5e569f5413ecfb99d0dd05566a520184ffd58
SHA2563ebc53ea9e84894a3e98b7587ff835594adef66c9fd4c774a90b1cb3cdce4d0c
SHA512aa38c73eba2e1975e822a28f95810f655e54f7ab73457f8a82593e445a714493c1b9a4f524c0e1bf55661a70679b6c19e7f4bf52058929404b950d37a5d0d134