Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
Resource
win10v2004-20241007-en
General
-
Target
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
-
Size
2.6MB
-
MD5
8aba3bca8cd47063c4ee08a5fbe2ae70
-
SHA1
a9ac554d9f0afc834b143d779f80ec5baaa38ede
-
SHA256
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839f
-
SHA512
16a8a6dbff3e1b675775aacd8719f20efa30e5ceead4574b94b2ce4edfd3c10befb4e2f31662795ba966e3d8f425bcaebc49b6abb26d2772a1eede2b84ccd6a1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe -
Executes dropped EXE 2 IoCs
pid Process 3008 sysdevdob.exe 2648 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\adobloc.exe" 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN1\\optidevec.exe" 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe 3008 sysdevdob.exe 2648 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 3008 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 30 PID 2212 wrote to memory of 3008 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 30 PID 2212 wrote to memory of 3008 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 30 PID 2212 wrote to memory of 3008 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 30 PID 2212 wrote to memory of 2648 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 31 PID 2212 wrote to memory of 2648 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 31 PID 2212 wrote to memory of 2648 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 31 PID 2212 wrote to memory of 2648 2212 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\FilesJL\adobloc.exeC:\FilesJL\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55420619af6b71d690b11530e0f97ffa3
SHA1833829ffda16dc2b431678bb64949042767d4be2
SHA256b4ac63438c257b43da5a3edce814dc708ff6bea430ef8ecc4f38b06247044e6d
SHA5122b7672650a821bb8ca9452e3293efcb8d1094868cdea025c941e2d3c15966255e15404311abf11f03b7e718dde58a2c80f2d4a3a7799f5227d2d40ceeeb09363
-
Filesize
2.6MB
MD5ad84999aed718e5193cf0a0bc45aac4b
SHA1845e593d8912d8e649dba7bce684d976a0a45bed
SHA256024ac27db5cd9499934062ba76fe10a7e4eb093869db0276cd7a5224cd8a82dd
SHA5125c90c3404283997174a5df5cc67688ffa907ba5e65f7242b1e560301fe80b4292e6064733e0a224c292452420e2220db9ff2df7abb95b5e73869747b00d8a6a8
-
Filesize
2.6MB
MD51db9737adf47f1c38c2ceb44dc3f530c
SHA1376cde19b837775ba8e3b7537006b19a993d744a
SHA256156e4d71fabb52acea9a0396cd4dc9e859deaf96a66baef36f9f86230f6e15d7
SHA512017e11121c59ce45b1d4b03e5dfe3618720b158e6fbb637eb3686a3342cd469f897777da1e3c2cc2ef3d3a15f468ba38d5e69c1d71ee7ce33ac37738c8810442
-
Filesize
172B
MD5488696952ac447412f67927e87988d2a
SHA14753a6845d3ca9ed885a19168a69f9d674225d44
SHA256abb0586eeedef10651384f6955dbf41ae402733f2d5c542f15d87b7f6a99bfd9
SHA512ae791db06340dc7ba18858f9a63d15c90a27fc48d08d36ddae50911df51b4b74522669033b43297f91a997410c78e0ebc461df607407a4d11ae562fc617e157b
-
Filesize
204B
MD577f1797b47da7344f18ba775f85391b5
SHA14c54b9af0a96104b280d289838d29e6bc08da148
SHA2563947b181e3b8ce275131236d3925b739f2a2a9470d691435bdf4a63b2e9b7328
SHA5120f68fa3eb6dbf054f2c7572aa621b026da89e3aaa19bba79726b7e738d02d38231692cdc8183e4d3848a6592195f1f5e29f2526e86db54dcfa46f8dc55d6739e
-
Filesize
2.6MB
MD528ee4917ce26accf91eb69e945bc152c
SHA1a9a5ff02284461c4c44913c5de8cef9b3936b640
SHA256231c708a6ac1129e30760c74b70f6f6202afebdbe7ba3a7221a8d190cb70f400
SHA5129a4582db0dcef56b1d87402910281dd52399a4865338692f2f6de11b9e2a1c51638b74f2d50e4281a786edc6fa4ffe964f04c5ecd53e7616529541271186bfa6