Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 04:18

General

  • Target

    dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

  • Size

    3.2MB

  • MD5

    8213a9258de910ac54e809856cf29c3e

  • SHA1

    49b0e82b0c44929666852484033c2d3f08db4095

  • SHA256

    dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa

  • SHA512

    3d2a8a344fb56ad9f66f4918723ba54f402085410c4dfa553ccf353010d4e166c582084fdec74cd3321c21874825925b5c80320361bde3f3362888a8cd0f2e35

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
    "C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5008
    • C:\IntelprocPA\xoptisys.exe
      C:\IntelprocPA\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocPA\xoptisys.exe

    Filesize

    3.2MB

    MD5

    953020cc9463346a7e98aebde3b807e5

    SHA1

    7ea851a8794022a7ac43fabef2141108bad82346

    SHA256

    0c3d632672cbae06fcc5812011147c3fe2eb448ff354821fcb6ae524cb93a012

    SHA512

    ffb698167c76fd1a25422024c09f86d65a241b092318c205e200e565dbc9ef6cf9b16ec650819ce943be8ae9382b2506f83ae9fcc350dc7cbb87bcc1dbf192b7

  • C:\KaVBFN\boddevec.exe

    Filesize

    4KB

    MD5

    b61f1c7ad73efe910c92dd7a7c9a7a0e

    SHA1

    da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

    SHA256

    b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

    SHA512

    224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

  • C:\KaVBFN\boddevec.exe

    Filesize

    3.2MB

    MD5

    eb796be35930db00d265ad06675bdb2a

    SHA1

    b21d607d6e8aa4c9707917b3a77424ca46cc0e62

    SHA256

    827d1948a11495b78b972f66175b08217e4b4961e131e9ea98cfe57b884d7d7a

    SHA512

    86484b7e65cf421be80d7182e630fdc7024d70ac17915ae01680b462aafdba91c4619fc5dc9efdc48fd97fa8c3d25df9a4036ee3dc5e3d0383a3859742f32501

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    3337ec598e6cbc6312f61bfa8a66281e

    SHA1

    93dfbc1f9b624242d7bb0ee090217d4c71279971

    SHA256

    1109a53c85ed620fd884e8fd445b59a184d71b6d037a5e2d22b03c6c3912f887

    SHA512

    bf0545cc6e534dd9e472ba9b17fb7c7c22e5b3544b6809857d3f200c3b8fa2bd13646200a0d9dfbd86b434e1436fecf7c92ac8b7779a14146c1b4068e165d960

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    f4b7adb303ed185cc0c307e7e3b2adb7

    SHA1

    d953076b2d04f4b0f2535c33d741f1e645cc346c

    SHA256

    141db3f72a42bc509b45f69e59958f88bff1db0007532e2cc24f382594847588

    SHA512

    a3c5444d0a1a1e047943c9c8c24682dce4b9cd971e2b229b7028c903c25bcc495e069e30ffd59be4b8382227af5921edc974a1dce2f346bc057f0c558938eee7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    3.2MB

    MD5

    3964de7d80cbd1ff0492f3b2915afa7e

    SHA1

    a4faea0a60a96946887904e426e7089bdb963b81

    SHA256

    802ac0f13f9647f9e8b81260e7600cd758d2852f595d1a1b35125da668f0ba75

    SHA512

    576948e693a127776cc9bcf0217f72bebc3b1e68177567615dfe11839a2ad587260108d3f0f90e730fe8c5f0afaa4fca7cdf6063b352db22135a9e2291fe7bb7