Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 14:37

General

  • Target

    VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe

  • Size

    4.0MB

  • MD5

    03ba9978296204d2048fb184e546932b

  • SHA1

    63fc0f70834a1868681c1ac8bf9dca778221816c

  • SHA256

    0af366e7b4fa57f57a14aec07cd5c2991809e96b3d240c9440c1c6e59576a16e

  • SHA512

    4f6c5cb0048ae1d3a8b39c7dcd2fb3901402dac55309efe453b69b7ded5efa8085f27144e766eeddb1c9d38a857dfa7b2bf1cbd6fc52d65348dd76bb3cab3ed4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpabVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3800
    • C:\FilesSN\abodsys.exe
      C:\FilesSN\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesSN\abodsys.exe

    Filesize

    4.0MB

    MD5

    fe6636e840f1a74542686b01eeaa8bba

    SHA1

    a83219ef9e15efd01d50ec03da0259dd2d82d991

    SHA256

    8166b39a8758948a10c1549ee808645175bf0a5014239b66035e3f0e56f00bf6

    SHA512

    341c67f0a4d6df74d0b65f9e83d79b8f98127f4333f671dd0a57afeb9db8028cac7639037eb3c0c29129f344d1e30bcbae888451eb7ce842cdea219d50884e45

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    edebbd06f8cb83e285354fb731486e10

    SHA1

    dc0d58f661da5dfef47cdd309296ac36397a9271

    SHA256

    2cfa51f9e07f20ca9f152bff1f391d5f30f5a16bb99b8760e7362d76e2d729b9

    SHA512

    37decbc4dc275aca9995be11021795d967e4f5a297e4bb9d328c2f461e3c13383f6b8a3b4ebc97493cbbb937067c0c7603f1e6a767b3bfea99343c210852a8f3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    9ee34dd2aee21fe55b8b2dca2f7df6f5

    SHA1

    713e57a426664ddd381749ad6bc7fa6d7c265144

    SHA256

    4314a092cb270fb149bed4bf189aec894e06e9c93451c1dbe0917f5cb2d4eed8

    SHA512

    7d6cbb4dd013aaf1b9442989a12a906466519ce8342ec23c03da4ff1da4ad7be781a63133dd4189868cf3f9ee92ac858ac4e64336d88d68b37aced8069d3c8ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    4.0MB

    MD5

    624da640aa949bf56c96bee7fa3821c8

    SHA1

    ba8266c066f13c03042620846f932ceeaea77c55

    SHA256

    78b5181b21dd16a55db275b6590a8c811a94c3c8c054519bac6630855ffda413

    SHA512

    bbc69221192b2fd6c9aac22ede02428f9715e8ec349888b50deb9e679d0d29db35f512d4f10ee65ab1dbe5adc334e894e1eddd4b812663e12a29ce20d21028c0

  • C:\VidMY\boddevec.exe

    Filesize

    4.0MB

    MD5

    08d5ca5d2f4a4e5d1d80e82f56fdf104

    SHA1

    e780a75d9581f3fcf61491fc39813a07f8286ed9

    SHA256

    93c508e64bc9d8f8e4c9b279ada6ed643e7338e8f698781678dc47746c13c43f

    SHA512

    ccc43488cbd4e8fb6870c502c05da2065c7cb4a69b402449d4e8155d45872b2a7d43874043edea05a9908fef1a1e0035839000e60bcfb2e42eddaacd02be896d

  • C:\VidMY\boddevec.exe

    Filesize

    4.0MB

    MD5

    c62be9c26e58e88cd59cab1ef8874685

    SHA1

    7761e33ccad863281d21ea4f3b4957a0be445a9e

    SHA256

    5db061815aa278b19d0d4e5e73f34e3c4e374fce4c1df8d40b413707bd22f67c

    SHA512

    8320144b2f3c699c9527d627a4c035607e28b8d273432ac1ff68baa9d4da2d25d79ba3643e6644c3c88834143516979ab3bc77ad7d302785439fb9063848dfca