Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 22:02

General

  • Target

    b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe

  • Size

    2.6MB

  • MD5

    fd18cadbfb0517b0f4a395bf67ad2360

  • SHA1

    cc71a8e26221592b4a38787e73d9f42335698140

  • SHA256

    b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188d

  • SHA512

    745804941f7347e58833e592d7216ac02add79993d5b40f37652284802c849914cd32114f5add21670a5a4db1215ee5122ed0e0680e027c248d7fd8bad9969f6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
    "C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3964
    • C:\UserDotO8\xbodec.exe
      C:\UserDotO8\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxPB\dobasys.exe

    Filesize

    2.5MB

    MD5

    2a64b387868e30a6292f0c2a2a4a74b7

    SHA1

    252fee464288b734d72c4a2b6515772743fa61a0

    SHA256

    3d81c90a906a61d76a0ed9ab568f007311e3b3a99c12eb7a7a0d129f2475771a

    SHA512

    088ef95bf234f75155aeff8c66f9a104f325d2844158fd6babaf48362cdafcf68757a21273f6288968904b36002b4e2298c30870299147c7f810c07e44e73017

  • C:\GalaxPB\dobasys.exe

    Filesize

    2.6MB

    MD5

    a35768fd7c7c35b50defa22705ec9d42

    SHA1

    43a08152a8dc053ac5261d39b78c3c2d133a5e0e

    SHA256

    8b5648905c21e41f7c4718797e151ca112dd486313862c1cfc2ca0d0db45bb38

    SHA512

    420bc657b3ce4ae52f8718b65dcf813fbd8e366be20ca5b8082da68d4aebed9c2437d09ce1d73d31d058dd5853bbaf72b3bb43ee68bf4b81c8f8471d6e281493

  • C:\UserDotO8\xbodec.exe

    Filesize

    2.6MB

    MD5

    4b69a65600cac42419597a39d60dde99

    SHA1

    c3c90a280228bfd7c3815dc3f937db26d4c6aa51

    SHA256

    ba6a05dd111f209fb641e9fb73370ccdc14ebebdafb3053c85ea9c56bf8f04d5

    SHA512

    7ffac1a918f5acc6c5aaf9a6862bca0845f363350b8db4d7c5c7a96f03da03c67c32f0704c6a379e0da44a02b67dfa4a49df01bc5794528d096a15b07f2edc9e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    02a1af7e8a1ed28ac63931de9ebaacf4

    SHA1

    89b87080755c05512e4df5e1e33e28e9a1fb7fa2

    SHA256

    93fd88475ef600c669713a227d5b74ffb5545a349dc0992571103505cb841e85

    SHA512

    272ea6d487c4d010e6211a0582542f627e02a00b7a5ceb1f1b9ef5fa194a9e84d8a6fd2faa4e3d97f90628c64e95444a58059cd4f151053eb621f34c03958ce6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    f7a443b9087255cf48961db3b22163da

    SHA1

    6228152da2e361d8374b8d564f16b9e12cdc1eb7

    SHA256

    0d50314abae7aeeca7042db1bda904c0de5adfa2954326c6abaf0159bfb9ea70

    SHA512

    bd83f609df20b3053bce18c651f18046ac1b111fbe6ea2a5c442f64f0b5b0748d1a2c85954ed11c00fb2b6ff3561fb976e5d945dcfdd8034965454026ee777d4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    f626c3615207ade87de7a323c57a7b26

    SHA1

    bac5e569f5413ecfb99d0dd05566a520184ffd58

    SHA256

    3ebc53ea9e84894a3e98b7587ff835594adef66c9fd4c774a90b1cb3cdce4d0c

    SHA512

    aa38c73eba2e1975e822a28f95810f655e54f7ab73457f8a82593e445a714493c1b9a4f524c0e1bf55661a70679b6c19e7f4bf52058929404b950d37a5d0d134