Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 19:15

General

  • Target

    18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe

  • Size

    3.2MB

  • MD5

    6733057c3df40829370247b699a3a581

  • SHA1

    29d1f4bf67043f347e96184dfee97bc4622397a8

  • SHA256

    18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7

  • SHA512

    58fbe8a4da38bf460d702f72e5c4d2602da197c9771ab716b74e893f602335291729d46f4e680dfabfcd372d26b44d12f3d78d6ad0d00ad8ebb547beed1a68a1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
    "C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2704
    • C:\UserDot0U\devdobsys.exe
      C:\UserDot0U\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDot0U\devdobsys.exe

    Filesize

    3.2MB

    MD5

    21e089e19973318cfa3b074a21e26af0

    SHA1

    f0806a70a3f51f5fb43af65e7756eec9c67cb0e2

    SHA256

    258657a776f751dca53ed9697b45fe8573a7db4269c58cb62b68f002dab614e8

    SHA512

    809e83d1e1c797d10169754f48ce40e7dcb6b91c70dfb982a4b0e65aa885c5dd29167e5138c708150d525da1398f639fc7bdef2f9414c117dddebba21006f2dc

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    c3118462c9a7ad68a364a58b00379a65

    SHA1

    2e7fc89f3802c31bc96717cc3041e56fb2224b02

    SHA256

    42f783a71bb0bbcb8d589c4b2ff0a3018073992470e08926b9a5adbfed5fe705

    SHA512

    6d2f6d5abcc4f9465575d7eba15e3e04a5d1ccae90da2079b5820191f3d07afa51f2eb158b17f211623c00d8650dccf745718a60105129473af56a7d1a5df61f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    b48033c0374e4eea5fd608c5a5abacd6

    SHA1

    4098644639fbb9e94e8758d9c1f86ce9fb0d8945

    SHA256

    96c69ea7e49249e558a1ec951878e480825f298d9b36bc84630712b2c82bf577

    SHA512

    abf2ec7eb1f7ada439a0170d3b5bbb09b168136598032f0fe39e18a1595d4ddf51ab74a7b0a9d7a45629b6dcd1febb1b3d103944f727d97315f3477391427ce0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    3.2MB

    MD5

    0aa81dcf0d30761da8512de575954895

    SHA1

    81016d0f279ac1433903328c8f2867d51456360b

    SHA256

    421d315f740b29b4dddc2b6eb8a19d828ed9536f677976229cb153c3cec46750

    SHA512

    442e0630f6f82a352ddbb0f19f4901de0bbcbb484d02cb17e0677c40637320e453c45711300ade06b96f8e911fe47fb04bd08a924203161a146ade27cd32d00d

  • C:\VidAL\optidevec.exe

    Filesize

    3.2MB

    MD5

    4a79594f2eb648c0dda145dae896b61b

    SHA1

    834caf65ad86d320d57117f9581120b5a8d2f0fb

    SHA256

    834ba9b98179b5298f18818211fcdb44435449321556cad0dd9d2b76ed17c273

    SHA512

    20f6f4d1d1eb9cc24804daeea16b4d641048bbf7399d3d7971f23f890a227cb8aed0ccc289b0a7489b6a841340f63e9089d5d57e8ee716f20a4cbe06044c9efa

  • C:\VidAL\optidevec.exe

    Filesize

    3.2MB

    MD5

    e1c693c46266be0dd9fc9cf7a776ede3

    SHA1

    b6b0bba4129b46f939dc0b052d0d3b4902e85c46

    SHA256

    70020a977f57731b4babd278f472c053dc916fcf75d2efc6b7efa30fdb2713c5

    SHA512

    9e993dfcf9d341b8cbe4d89c0f4e4a37357b5023b52580061d2a2be2e0ad04f7948220bb8f443d2c997a8604753fbd4a5a6e0b510ad1467a639fc3fbedd767fb