Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
Resource
win10v2004-20241007-en
General
-
Target
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
-
Size
2.6MB
-
MD5
3359108b78cd44cab95b299de1416f5b
-
SHA1
76905f1a3e52c8c1baf47cdf31b42563792e602c
-
SHA256
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196
-
SHA512
90722e1d71595508d44a36425f97976b4c68035bc738b7f41d39a094fcf4d2cbc1844c6052497406293751066fbe09c31e3f899ce0873608c1b0c82289663795
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 sysxdob.exe 1984 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJV\\devoptisys.exe" 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8K\\dobaloc.exe" 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe 2792 sysxdob.exe 1984 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2792 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 30 PID 2888 wrote to memory of 2792 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 30 PID 2888 wrote to memory of 2792 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 30 PID 2888 wrote to memory of 2792 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 30 PID 2888 wrote to memory of 1984 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 31 PID 2888 wrote to memory of 1984 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 31 PID 2888 wrote to memory of 1984 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 31 PID 2888 wrote to memory of 1984 2888 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\AdobeJV\devoptisys.exeC:\AdobeJV\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59cd6f22f084aa3904d80442b75b431f1
SHA1695eaa441613779ae44bdf2dadac21f98f3cca54
SHA256938acca53a125409a54cb3bbd38cfeb64d62e3fd2bc0042ab44971748f853a2b
SHA5122af11a3fd68754ef3b79231258fdcc5a56eba30d1331bbb7a757f03fc557e76b1ead3842ba5181d1582d9817147594e2fbaeed37351551262209e52c99dc82e1
-
Filesize
170B
MD5738f848932189c89bdc6e386557c8a39
SHA19b6ae7dbc2a44f745ca765cf830ac59c00026afd
SHA256c546309e6cf284067226b0523fc8044f8b05d0352041d8ccd2661509b117bee4
SHA51223b708e42086fffdde8726cda26f8038a81f1a36701d57191e36d5f5f083f0507b89545a1353d276a5a9719ae09ab75b2d44d8f62751b0cef4c523e1a5e9a2ac
-
Filesize
202B
MD5221b284a61d0fa77f32a453c72d3a4c4
SHA10025f965526b4eefb67a3b213a2c6c8c9b6bd8b9
SHA2562145b59cdf5f4da0737caaa6f8300610e6b3cf8c46d7b2629ae36b23aa131f69
SHA512975efa10c06e43a14f41dd5f89360e449cc144b3d51405404d892bcfa00facbf89407bb6f11c995b276e5045428d70f58ef5dcdb62e7f343b5625a74c34bb5f4
-
Filesize
2.6MB
MD51d3f22a58af67bb367322ba617cc853f
SHA1c9e9712a545909f3829969b382d97b7902cbbf49
SHA256bf230f7a9a68b82bb2bfa9ab01b39c682c686781788bc13c602822fe8973d609
SHA51285c65ddf64ff4a8d4bbc8808daee06951ab7fc1548416b8db57410d2ac0395c3dc53e3524954e193e8c5990b92766790ed81d24e84f530481784837c175c7f21
-
Filesize
2.6MB
MD5edf88230cb374bd23882f08159ff3301
SHA1d02f7618b58a9afd336e105c11cf063f4bff5556
SHA256741c71ff8a2ff832016263dd93823933f5f2cd9fd582c256cfd46da7063f2263
SHA5129916c1e33006e17e08342987e63c53e371fc0d0cae1f151db17241faa18cf532eb40a164b86659b799849d3dbb3ce29582cdd9f16a15cf50d8a2c6bd0011c398
-
Filesize
2.6MB
MD59ddde5ee62e867c59ed0b5e68d56ce95
SHA126d607615dc6e6542b981b84e2df8607c04f2121
SHA256ddc9cf787c83659e07882e1f1019b208525f5df5522471562c58f59f2760c406
SHA512cef6ae5892d9266faf1e91bd8342895927552a2c5492aef6f89e98d1e2484dda083d2ee25361e506ba3d28afe75eb32b3e13c49a0aabe2dfc924f788e0b08e2a