Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 21:00

General

  • Target

    43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe

  • Size

    3.0MB

  • MD5

    44baab70116f04bf66825695716ac7d7

  • SHA1

    e82790893da33573ed32d0ed8fbd1d3565fc0ea8

  • SHA256

    43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a

  • SHA512

    1175955d67bcda448a1890c09e2e99aeaba2864b3ee63c449a0039837f519b13b49a6bdaeb89e0f95ae8f676da6c092a83b3e2f22d229b53acd8ace61734d0a6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUpVbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
    "C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1212
    • C:\SysDrvWC\xbodsys.exe
      C:\SysDrvWC\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintIR\dobdevsys.exe

    Filesize

    3.0MB

    MD5

    5e0dbe94a2ebfc1a95bce12df14fabed

    SHA1

    800395ebb9e73cfea2f1e1912c1e4c6cb34ae94b

    SHA256

    8585e5e8778e63b49918fb0235fbf481ac3c08d004a8e58ca99dd5ede983c140

    SHA512

    a89bc8e9f9a29ed7e54114140c4dec3b46b23b5970d79387e49919e0b8347a969a2615de02160c150111ad10f1f94052b44cde1fbd0f1e7e29e0609745fa091e

  • C:\MintIR\dobdevsys.exe

    Filesize

    3.0MB

    MD5

    c26575451b100209cdff35ec3db35e0e

    SHA1

    d574fef3642e81bf1d682019fa7bedd7962aae3d

    SHA256

    438cb00e2a6ff76255ad8ca242538ec9f854e3b82dde63ac6c218d6d958e8143

    SHA512

    655761733fe647445fb04b70a43e7114b3b5097cf9433e5c7a7cfd10b6734c79a1ee2d239a7ae9d49a313b62db7a1a213f8efd9c2487e3c3bb0b5553c72672c0

  • C:\SysDrvWC\xbodsys.exe

    Filesize

    3.0MB

    MD5

    4ee45c90879c279aa87428ad662872f1

    SHA1

    afde3912a2d3b64b2851b9ead47c1f0649fe7be1

    SHA256

    cee77f50e1b83473e53193b92f90e8a3eea806610797dd3e80b1f2fe4294821c

    SHA512

    b725e13aada5410b2440dbcc6085a1d0a391a138d0584a2d3286dfd5918badcc833674bcf4481eda88d7c2ceaa1320c9df01bcb51e021d88228044320759af66

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    8dc96933deeb846998c2e07e7f66d1b4

    SHA1

    19094f3b574cb0cd88c45206026d44f3601bb991

    SHA256

    882ce1977eb57f614321681373500b2dd7d2aca7501bbc976930af9a4af6dad3

    SHA512

    106a5bba8bea7accfebb86009ee1bd0435318b239bf53d26fdf99c0ddd3e5962387585d89618705577f171c4a6554e0fa8b5e967d50122f972ba710e64a42314

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    fb4ab4775bc82aca301c01f2d4420ee9

    SHA1

    7aa7e19b4794dcebcf38493241b4f0047473f24e

    SHA256

    b08775cd8b9dda2acb4c66cfaad504f8edf5f040716364969bb683971b7dfbe3

    SHA512

    aa5f8f8e8c5b2fffacebf49c4efa105bc6443db992088775b74434414ddd69ea44656ef842fab92bca4e7cb07982e65efeb34463584e4e260bc55e3dc5325183

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.0MB

    MD5

    d36b14ac7407435b18954f4d257f80f2

    SHA1

    f6f4efd73eb9c5b67bfa967e29127afb52385763

    SHA256

    2731f9ce08b1595c96c3c848f9956254fd5c2a10262d0fc4b65990bef333a634

    SHA512

    22012497a9ca639ddc2f8a5fff332e099fabbd6de9837bda0b710cdab720006074ba0bbea4700212c01738bdb98ca2ddfd5fb20a11209d7e652d50cf51a7278c