Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
Resource
win10v2004-20241007-en
General
-
Target
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
-
Size
3.2MB
-
MD5
a2a41c9172d9662c2096854b519d8ab1
-
SHA1
e7e46f426f56bd981532ffe3cd443d8a93fce9b2
-
SHA256
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5
-
SHA512
8db50c83cf4d64717321c372d86fdef728c64b815d1b8164128c5c7cd401ede55bcf7ef6b0da86dc9bdc5bae481e7c40b1a744d54bf42a86d871c5d288cb9639
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe -
Executes dropped EXE 2 IoCs
pid Process 2500 sysxbod.exe 2248 devdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBF\\optidevsys.exe" 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTH\\devdobsys.exe" 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe 2500 sysxbod.exe 2248 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2500 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 31 PID 1628 wrote to memory of 2500 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 31 PID 1628 wrote to memory of 2500 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 31 PID 1628 wrote to memory of 2500 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 31 PID 1628 wrote to memory of 2248 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 32 PID 1628 wrote to memory of 2248 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 32 PID 1628 wrote to memory of 2248 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 32 PID 1628 wrote to memory of 2248 1628 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\IntelprocTH\devdobsys.exeC:\IntelprocTH\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5076cabf5d63f35421b0d09476c07074f
SHA1eb1e6c6eb3b00a5d363eccab2b9900d27e9b07e8
SHA25657a45b89e16a8264e24c27f5b3430599f416929f9b3696401264c8aa8ee6bd8b
SHA512930100bf82f468372edba8cc4e88c2d10368204346bb82b9290f84669c1221e52edfc79fddfcc98c98b0b12bb0a781eb7ca801ac6176cc816dc8072035ca2159
-
Filesize
3.2MB
MD576a4f5b689e9cd21cf59cbfd7fbaa7bb
SHA1044682b9073228f392ebb75f8ba7c94764f75e1e
SHA256027c0e4b14fdbe5c66ee9df1af3fc2114dc52a14bb0f770f2cd32a5f221be0f2
SHA5126bc69ebb824e71159028bf7a9353fdf4bc8e26866bbb769155e28cbec13e7bb23730a1850ea1d13b329f67f4dd1c59c1a8ca3ad8dffca1e31fe8d5b155a05efa
-
Filesize
38KB
MD5bf44ca13b06e59ad51503b585db2d944
SHA18d84c6b808a898fbfeea13856ec382531239c6d9
SHA2569a12a344430be9cc0bb7d2ea6202d63c01daa92c07c865ae267248b82c329f28
SHA51213481f95a2c51740b647ee5a47794773224d573092df1067c4b3962e342065a270d3d494a618d0ba6693165957b646af13eab68013ff56badbe774418903f854
-
Filesize
177B
MD5a4e26bf388f4f5128f370b1227b34a3b
SHA1ae59d2bb05501f8704a3a8e0d8dc648c75f65d4e
SHA256a83936343c708c6bf20d4d16742a25f88fa1241496c8c5f7625a59c81ae0b0e2
SHA5125d0b4fd83606d0d675e8943d1b61faf867b42fcf6b4aef2877a0a104d1583d98fb8240d592751b6178190cc82cfaf907183f3467ac31a0a1570f4aed99693aef
-
Filesize
209B
MD59bd1c33e44af2042f5c7f199f6df7229
SHA16afe30d8cc8d1a16e1cf68ddbd8cdb629c9fe8fe
SHA2569c2dd4baa80e40d3d18790f7ced715b552e090bf94e6cb22085bf290637f29a2
SHA5125cf6243a58dc786bb1106cc8672f6c88b812db6618db9c160e15b7a3a72f30cd960714fc989b1c575d0ef25b3aaaa7bcb4af5657bc2112966be1b33840610aec
-
Filesize
3.2MB
MD57de7a7b5c3777792b1690c14ecea2709
SHA16e7832429c5f03f969f65f7a07ce7d14d85b65af
SHA2565ffadf7560f479d0ad75afb7d936b11dc26cb8a59b24aef70d48fbea28fa0f7e
SHA512375cffd2db25ad0829ce7a4f3f12b65170ec43cc082d82ab66d1cbff70ff8a340d7c66a60a3b2e95e06921326ba7106bf1a8af5cd4583df905ed490a0e5cf138