Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:38

General

  • Target

    46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe

  • Size

    2.6MB

  • MD5

    3359108b78cd44cab95b299de1416f5b

  • SHA1

    76905f1a3e52c8c1baf47cdf31b42563792e602c

  • SHA256

    46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196

  • SHA512

    90722e1d71595508d44a36425f97976b4c68035bc738b7f41d39a094fcf4d2cbc1844c6052497406293751066fbe09c31e3f899ce0873608c1b0c82289663795

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
    "C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2792
    • C:\AdobeJV\devoptisys.exe
      C:\AdobeJV\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeJV\devoptisys.exe

    Filesize

    2.6MB

    MD5

    9cd6f22f084aa3904d80442b75b431f1

    SHA1

    695eaa441613779ae44bdf2dadac21f98f3cca54

    SHA256

    938acca53a125409a54cb3bbd38cfeb64d62e3fd2bc0042ab44971748f853a2b

    SHA512

    2af11a3fd68754ef3b79231258fdcc5a56eba30d1331bbb7a757f03fc557e76b1ead3842ba5181d1582d9817147594e2fbaeed37351551262209e52c99dc82e1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    738f848932189c89bdc6e386557c8a39

    SHA1

    9b6ae7dbc2a44f745ca765cf830ac59c00026afd

    SHA256

    c546309e6cf284067226b0523fc8044f8b05d0352041d8ccd2661509b117bee4

    SHA512

    23b708e42086fffdde8726cda26f8038a81f1a36701d57191e36d5f5f083f0507b89545a1353d276a5a9719ae09ab75b2d44d8f62751b0cef4c523e1a5e9a2ac

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    221b284a61d0fa77f32a453c72d3a4c4

    SHA1

    0025f965526b4eefb67a3b213a2c6c8c9b6bd8b9

    SHA256

    2145b59cdf5f4da0737caaa6f8300610e6b3cf8c46d7b2629ae36b23aa131f69

    SHA512

    975efa10c06e43a14f41dd5f89360e449cc144b3d51405404d892bcfa00facbf89407bb6f11c995b276e5045428d70f58ef5dcdb62e7f343b5625a74c34bb5f4

  • C:\Vid8K\dobaloc.exe

    Filesize

    2.6MB

    MD5

    1d3f22a58af67bb367322ba617cc853f

    SHA1

    c9e9712a545909f3829969b382d97b7902cbbf49

    SHA256

    bf230f7a9a68b82bb2bfa9ab01b39c682c686781788bc13c602822fe8973d609

    SHA512

    85c65ddf64ff4a8d4bbc8808daee06951ab7fc1548416b8db57410d2ac0395c3dc53e3524954e193e8c5990b92766790ed81d24e84f530481784837c175c7f21

  • C:\Vid8K\dobaloc.exe

    Filesize

    2.6MB

    MD5

    edf88230cb374bd23882f08159ff3301

    SHA1

    d02f7618b58a9afd336e105c11cf063f4bff5556

    SHA256

    741c71ff8a2ff832016263dd93823933f5f2cd9fd582c256cfd46da7063f2263

    SHA512

    9916c1e33006e17e08342987e63c53e371fc0d0cae1f151db17241faa18cf532eb40a164b86659b799849d3dbb3ce29582cdd9f16a15cf50d8a2c6bd0011c398

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    9ddde5ee62e867c59ed0b5e68d56ce95

    SHA1

    26d607615dc6e6542b981b84e2df8607c04f2121

    SHA256

    ddc9cf787c83659e07882e1f1019b208525f5df5522471562c58f59f2760c406

    SHA512

    cef6ae5892d9266faf1e91bd8342895927552a2c5492aef6f89e98d1e2484dda083d2ee25361e506ba3d28afe75eb32b3e13c49a0aabe2dfc924f788e0b08e2a