Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 20:56

General

  • Target

    76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe

  • Size

    2.6MB

  • MD5

    8aba3bca8cd47063c4ee08a5fbe2ae70

  • SHA1

    a9ac554d9f0afc834b143d779f80ec5baaa38ede

  • SHA256

    76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839f

  • SHA512

    16a8a6dbff3e1b675775aacd8719f20efa30e5ceead4574b94b2ce4edfd3c10befb4e2f31662795ba966e3d8f425bcaebc49b6abb26d2772a1eede2b84ccd6a1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
    "C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3008
    • C:\FilesJL\adobloc.exe
      C:\FilesJL\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesJL\adobloc.exe

    Filesize

    2.6MB

    MD5

    5420619af6b71d690b11530e0f97ffa3

    SHA1

    833829ffda16dc2b431678bb64949042767d4be2

    SHA256

    b4ac63438c257b43da5a3edce814dc708ff6bea430ef8ecc4f38b06247044e6d

    SHA512

    2b7672650a821bb8ca9452e3293efcb8d1094868cdea025c941e2d3c15966255e15404311abf11f03b7e718dde58a2c80f2d4a3a7799f5227d2d40ceeeb09363

  • C:\KaVBN1\optidevec.exe

    Filesize

    2.6MB

    MD5

    ad84999aed718e5193cf0a0bc45aac4b

    SHA1

    845e593d8912d8e649dba7bce684d976a0a45bed

    SHA256

    024ac27db5cd9499934062ba76fe10a7e4eb093869db0276cd7a5224cd8a82dd

    SHA512

    5c90c3404283997174a5df5cc67688ffa907ba5e65f7242b1e560301fe80b4292e6064733e0a224c292452420e2220db9ff2df7abb95b5e73869747b00d8a6a8

  • C:\KaVBN1\optidevec.exe

    Filesize

    2.6MB

    MD5

    1db9737adf47f1c38c2ceb44dc3f530c

    SHA1

    376cde19b837775ba8e3b7537006b19a993d744a

    SHA256

    156e4d71fabb52acea9a0396cd4dc9e859deaf96a66baef36f9f86230f6e15d7

    SHA512

    017e11121c59ce45b1d4b03e5dfe3618720b158e6fbb637eb3686a3342cd469f897777da1e3c2cc2ef3d3a15f468ba38d5e69c1d71ee7ce33ac37738c8810442

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    488696952ac447412f67927e87988d2a

    SHA1

    4753a6845d3ca9ed885a19168a69f9d674225d44

    SHA256

    abb0586eeedef10651384f6955dbf41ae402733f2d5c542f15d87b7f6a99bfd9

    SHA512

    ae791db06340dc7ba18858f9a63d15c90a27fc48d08d36ddae50911df51b4b74522669033b43297f91a997410c78e0ebc461df607407a4d11ae562fc617e157b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    77f1797b47da7344f18ba775f85391b5

    SHA1

    4c54b9af0a96104b280d289838d29e6bc08da148

    SHA256

    3947b181e3b8ce275131236d3925b739f2a2a9470d691435bdf4a63b2e9b7328

    SHA512

    0f68fa3eb6dbf054f2c7572aa621b026da89e3aaa19bba79726b7e738d02d38231692cdc8183e4d3848a6592195f1f5e29f2526e86db54dcfa46f8dc55d6739e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    28ee4917ce26accf91eb69e945bc152c

    SHA1

    a9a5ff02284461c4c44913c5de8cef9b3936b640

    SHA256

    231c708a6ac1129e30760c74b70f6f6202afebdbe7ba3a7221a8d190cb70f400

    SHA512

    9a4582db0dcef56b1d87402910281dd52399a4865338692f2f6de11b9e2a1c51638b74f2d50e4281a786edc6fa4ffe964f04c5ecd53e7616529541271186bfa6