Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
Resource
win10v2004-20240508-en
General
-
Target
43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
-
Size
3.0MB
-
MD5
44baab70116f04bf66825695716ac7d7
-
SHA1
e82790893da33573ed32d0ed8fbd1d3565fc0ea8
-
SHA256
43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a
-
SHA512
1175955d67bcda448a1890c09e2e99aeaba2864b3ee63c449a0039837f519b13b49a6bdaeb89e0f95ae8f676da6c092a83b3e2f22d229b53acd8ace61734d0a6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUpVbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe -
Executes dropped EXE 2 IoCs
pid Process 1212 locxbod.exe 3564 xbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWC\\xbodsys.exe" 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIR\\dobdevsys.exe" 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe 1212 locxbod.exe 1212 locxbod.exe 3564 xbodsys.exe 3564 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1212 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 90 PID 1916 wrote to memory of 1212 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 90 PID 1916 wrote to memory of 1212 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 90 PID 1916 wrote to memory of 3564 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 95 PID 1916 wrote to memory of 3564 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 95 PID 1916 wrote to memory of 3564 1916 43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe"C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1212
-
-
C:\SysDrvWC\xbodsys.exeC:\SysDrvWC\xbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD55e0dbe94a2ebfc1a95bce12df14fabed
SHA1800395ebb9e73cfea2f1e1912c1e4c6cb34ae94b
SHA2568585e5e8778e63b49918fb0235fbf481ac3c08d004a8e58ca99dd5ede983c140
SHA512a89bc8e9f9a29ed7e54114140c4dec3b46b23b5970d79387e49919e0b8347a969a2615de02160c150111ad10f1f94052b44cde1fbd0f1e7e29e0609745fa091e
-
Filesize
3.0MB
MD5c26575451b100209cdff35ec3db35e0e
SHA1d574fef3642e81bf1d682019fa7bedd7962aae3d
SHA256438cb00e2a6ff76255ad8ca242538ec9f854e3b82dde63ac6c218d6d958e8143
SHA512655761733fe647445fb04b70a43e7114b3b5097cf9433e5c7a7cfd10b6734c79a1ee2d239a7ae9d49a313b62db7a1a213f8efd9c2487e3c3bb0b5553c72672c0
-
Filesize
3.0MB
MD54ee45c90879c279aa87428ad662872f1
SHA1afde3912a2d3b64b2851b9ead47c1f0649fe7be1
SHA256cee77f50e1b83473e53193b92f90e8a3eea806610797dd3e80b1f2fe4294821c
SHA512b725e13aada5410b2440dbcc6085a1d0a391a138d0584a2d3286dfd5918badcc833674bcf4481eda88d7c2ceaa1320c9df01bcb51e021d88228044320759af66
-
Filesize
203B
MD58dc96933deeb846998c2e07e7f66d1b4
SHA119094f3b574cb0cd88c45206026d44f3601bb991
SHA256882ce1977eb57f614321681373500b2dd7d2aca7501bbc976930af9a4af6dad3
SHA512106a5bba8bea7accfebb86009ee1bd0435318b239bf53d26fdf99c0ddd3e5962387585d89618705577f171c4a6554e0fa8b5e967d50122f972ba710e64a42314
-
Filesize
171B
MD5fb4ab4775bc82aca301c01f2d4420ee9
SHA17aa7e19b4794dcebcf38493241b4f0047473f24e
SHA256b08775cd8b9dda2acb4c66cfaad504f8edf5f040716364969bb683971b7dfbe3
SHA512aa5f8f8e8c5b2fffacebf49c4efa105bc6443db992088775b74434414ddd69ea44656ef842fab92bca4e7cb07982e65efeb34463584e4e260bc55e3dc5325183
-
Filesize
3.0MB
MD5d36b14ac7407435b18954f4d257f80f2
SHA1f6f4efd73eb9c5b67bfa967e29127afb52385763
SHA2562731f9ce08b1595c96c3c848f9956254fd5c2a10262d0fc4b65990bef333a634
SHA51222012497a9ca639ddc2f8a5fff332e099fabbd6de9837bda0b710cdab720006074ba0bbea4700212c01738bdb98ca2ddfd5fb20a11209d7e652d50cf51a7278c