Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:12

General

  • Target

    3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe

  • Size

    3.2MB

  • MD5

    a2a41c9172d9662c2096854b519d8ab1

  • SHA1

    e7e46f426f56bd981532ffe3cd443d8a93fce9b2

  • SHA256

    3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5

  • SHA512

    8db50c83cf4d64717321c372d86fdef728c64b815d1b8164128c5c7cd401ede55bcf7ef6b0da86dc9bdc5bae481e7c40b1a744d54bf42a86d871c5d288cb9639

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
    "C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2500
    • C:\IntelprocTH\devdobsys.exe
      C:\IntelprocTH\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocTH\devdobsys.exe

    Filesize

    3.2MB

    MD5

    076cabf5d63f35421b0d09476c07074f

    SHA1

    eb1e6c6eb3b00a5d363eccab2b9900d27e9b07e8

    SHA256

    57a45b89e16a8264e24c27f5b3430599f416929f9b3696401264c8aa8ee6bd8b

    SHA512

    930100bf82f468372edba8cc4e88c2d10368204346bb82b9290f84669c1221e52edfc79fddfcc98c98b0b12bb0a781eb7ca801ac6176cc816dc8072035ca2159

  • C:\KaVBBF\optidevsys.exe

    Filesize

    3.2MB

    MD5

    76a4f5b689e9cd21cf59cbfd7fbaa7bb

    SHA1

    044682b9073228f392ebb75f8ba7c94764f75e1e

    SHA256

    027c0e4b14fdbe5c66ee9df1af3fc2114dc52a14bb0f770f2cd32a5f221be0f2

    SHA512

    6bc69ebb824e71159028bf7a9353fdf4bc8e26866bbb769155e28cbec13e7bb23730a1850ea1d13b329f67f4dd1c59c1a8ca3ad8dffca1e31fe8d5b155a05efa

  • C:\KaVBBF\optidevsys.exe

    Filesize

    38KB

    MD5

    bf44ca13b06e59ad51503b585db2d944

    SHA1

    8d84c6b808a898fbfeea13856ec382531239c6d9

    SHA256

    9a12a344430be9cc0bb7d2ea6202d63c01daa92c07c865ae267248b82c329f28

    SHA512

    13481f95a2c51740b647ee5a47794773224d573092df1067c4b3962e342065a270d3d494a618d0ba6693165957b646af13eab68013ff56badbe774418903f854

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    a4e26bf388f4f5128f370b1227b34a3b

    SHA1

    ae59d2bb05501f8704a3a8e0d8dc648c75f65d4e

    SHA256

    a83936343c708c6bf20d4d16742a25f88fa1241496c8c5f7625a59c81ae0b0e2

    SHA512

    5d0b4fd83606d0d675e8943d1b61faf867b42fcf6b4aef2877a0a104d1583d98fb8240d592751b6178190cc82cfaf907183f3467ac31a0a1570f4aed99693aef

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    9bd1c33e44af2042f5c7f199f6df7229

    SHA1

    6afe30d8cc8d1a16e1cf68ddbd8cdb629c9fe8fe

    SHA256

    9c2dd4baa80e40d3d18790f7ced715b552e090bf94e6cb22085bf290637f29a2

    SHA512

    5cf6243a58dc786bb1106cc8672f6c88b812db6618db9c160e15b7a3a72f30cd960714fc989b1c575d0ef25b3aaaa7bcb4af5657bc2112966be1b33840610aec

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    3.2MB

    MD5

    7de7a7b5c3777792b1690c14ecea2709

    SHA1

    6e7832429c5f03f969f65f7a07ce7d14d85b65af

    SHA256

    5ffadf7560f479d0ad75afb7d936b11dc26cb8a59b24aef70d48fbea28fa0f7e

    SHA512

    375cffd2db25ad0829ce7a4f3f12b65170ec43cc082d82ab66d1cbff70ff8a340d7c66a60a3b2e95e06921326ba7106bf1a8af5cd4583df905ed490a0e5cf138