Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:03

General

  • Target

    618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe

  • Size

    3.0MB

  • MD5

    edce5e8f6066b92a75b75e4557bbeba0

  • SHA1

    48210915c6733c5f287d8cc027e8d7c413cfb25a

  • SHA256

    618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0cee

  • SHA512

    8917446eb045bec32ee7befa337934f3ff3fb151a5bc5bae664fc86a6159fb0b0946bffb70a07c2f60f883278270d8e1341fe7abed667f3dd618c13ae3aedd81

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
    "C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2328
    • C:\FilesFQ\aoptisys.exe
      C:\FilesFQ\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesFQ\aoptisys.exe

    Filesize

    3.0MB

    MD5

    bcd1603bae8c525072a48b859b09243a

    SHA1

    66251caf8c43c2692e5ea18d32e78dc57cc347f5

    SHA256

    6190a418c908778e98a5e94f361fa675266f67ea4b6cc5245af3986ee4bb4aa1

    SHA512

    d6e90c5a3ea825479fd8ecf4c042bc6a3ba476fe9eb1e1c773688282e3cb32ab9927d7795ba68eb464f5943de5cde9c569ed673f3358f1bc934d438cf9403024

  • C:\LabZIG\bodasys.exe

    Filesize

    1.7MB

    MD5

    6e0372fe85c74e911b5e15b4502c6916

    SHA1

    d16cd52c38301c7b423ffe3b9e4d85669aa04705

    SHA256

    7d0ccb0f34193316f3f0e3774cc9e253090a60155db2b5d8539bdf62a808e293

    SHA512

    1dd89567778107a0bfe6504434045adf56adf6af6c290bff9a38464ae15aa69b2be629f8bf876adadd40582e4138b0b8e3c0a3b96a930105f2b9a8ae2b9feb53

  • C:\LabZIG\bodasys.exe

    Filesize

    3.0MB

    MD5

    02a68bc7443c0cddee73b388f31c5dfc

    SHA1

    3e791b36457202b6fe4fd0a0fe69a86133a491c5

    SHA256

    93e3fbec605c9013792a61e8c3966b08f70f403ef9cda6f06a530c3c0fade696

    SHA512

    a725766449546b045a10fd0d00e54049b9464de3fd7c94243ce8f0132ee2be8fa79abed8ee48c3d0aef02d9c8b00af1571c68704c3c7f5bcb3a1a4ee6b34be66

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    cedfe78d9060f90e9026ab36bee01d66

    SHA1

    5e721a36585250980602b6d635058aa7a1873f19

    SHA256

    8af86d6afa0509bbf23bb25c64664f0907a71af247bb68dcdba58a2e16208bb9

    SHA512

    668ab55028c47c61ceb441f673eb731c0cb2538e34fea62156e958770c5061c688ba44c0523d936a8308bab637075d4331191621d332512d2ce57e2e9320d90f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    5da4702dab34cdb5584cc8157d7cc72d

    SHA1

    170465417fb4d989eee32bd9b7d30b0be836adf6

    SHA256

    05fea5f93fef3366218eacfe1574daa937413261fac2cf63e3bd038b343d21c2

    SHA512

    12d7a9531e25b10d3c0c3ebc5543d9a817e6838874186fe8073ae73daefc66fdc4f7d47861449674259c8ca8d8d4984dd4badcc8257f589c4f32505165199010

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    3.0MB

    MD5

    d5ad9b4b7bc6e189d02eb26961d70243

    SHA1

    7bd32e8ce0888f243e42b296cd0062bd5a98e7bc

    SHA256

    4a57fcc9b2158ca35e7c76c08ff8095d11ee9ab23f4562073b709eeb5b9784fc

    SHA512

    64cf1334a8b98ba3332e61b0c8b5898dcfc2878e14f0b91658e031efebd53492a65574c5f631aaddb5a7a3a2a74e088ce411dac67986a6e86981bf63112ea6e6