Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 02:13

General

  • Target

    b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe

  • Size

    2.7MB

  • MD5

    9f41fe3e32fe71ff439c684260203b4e

  • SHA1

    16ffca1bfc27869f62472cfb4f5e47d9a94d8d2f

  • SHA256

    b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996

  • SHA512

    d84b884333bf57bdf4b8c4ad4ff717b7207761f82506cedfa80da6365e24bdcf468f924986ca024f3c3595297ee86acb72b2776fae1eb14e09bdc86d226cf1b1

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSp64

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
    "C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
      C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig
          4⤵
          • Gathers network information
          PID:3412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -a
          4⤵
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:5080
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
        3⤵
          PID:1944
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
          3⤵
            PID:4324
        • C:\FilesEP\devoptisys.exe
          C:\FilesEP\devoptisys.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FilesEP\devoptisys.exe

        Filesize

        279KB

        MD5

        4013bc05c39f059641052b196e5540d1

        SHA1

        df976eccf3b0d3ddcb578635cf35605b6f150832

        SHA256

        ae3976f41119fbf791d3bea297caa7f1bd68bbc135f2c8a80b8b488ad3386f19

        SHA512

        201b7614694b96af26ed525587ca0baa67fe7a5256c389310c6898cf60175d420ba06bb3bcd9f2ad76b92281d104a72d422ad374d7079213eaa04870297dfdaa

      • C:\FilesEP\devoptisys.exe

        Filesize

        2.7MB

        MD5

        ddbe3b58f798d62221befea489b3c2a2

        SHA1

        7351be65b00d618060a87999fcef184926f484c2

        SHA256

        5cfbce009a00da449645b37864ba6060c76bda0414a3f924896f736b26f5e120

        SHA512

        14cd3c0a154d2e48217608f9e39e457ecd34cc55a4fb50c6134ca480fa18bad077190a7cde523c156a8dea134115a87ea7f20dde4dee353c081911f1a9c67bd3

      • C:\MintOU\boddevloc.exe

        Filesize

        1.5MB

        MD5

        67215a498bd5f2a77d7f79fe2c581dae

        SHA1

        3193c628c0aa0a6fa55d259e4fc4c56c0ec66a95

        SHA256

        f504ef313d3bd07b82b13f3746e91cda272d32401f767aacbc267b902157b454

        SHA512

        0294af170801f817926b5d73bd08e24597e27c3399eb60adbdf5034426ba2d7d60ae6b5533f2ca122637da11b1d86765f1b0d57f7110d425eb846b1b113eb82a

      • C:\MintOU\boddevloc.exe

        Filesize

        1.3MB

        MD5

        4a7b296a3da056ee3f728bd48185ddb5

        SHA1

        40e2e969e2b80248006a800fc31d6f6afd0c9466

        SHA256

        eb2841c0c7a0ca1b3d217bd11d5149bceb3bfa162c1166fb1ee48d8d6f264c8e

        SHA512

        2d0de4bfbfe6fcb224c53144582216a595b1ddbc579b412d5ef3b907864b31fa4b4eb8beb74be21596521e7b68291586c4fe7e03efc235435518428f49017980

      • C:\Users\Admin\253086396416_10.0_Admin.ini

        Filesize

        206B

        MD5

        f225d59c3939e286d888b8896e26d150

        SHA1

        d2f28fea96e64b035abd0fb5794346a31f54f745

        SHA256

        b6bf087b6ff21b939237ec2f58103fab5bf7a1a47880419e643cc126d7b80ba7

        SHA512

        7f790a4e4d15a2d8450479286dbbbfd70e5f0d4e46275cba186b5015c92b7670f1126e2f6aaafdcfefc94e98e5751408f00627302f6a30fddf9275fd543180ba

      • C:\Users\Admin\253086396416_10.0_Admin.ini

        Filesize

        206B

        MD5

        f43c5f5fd056c101ae2442c39918fb62

        SHA1

        de5b81431bcd0eec11374ed3af12dae360a4cdef

        SHA256

        36881267b7d45707facd9b954f46c1cc9373dd1d2b263f4315291d076351185c

        SHA512

        abd1e1f10ad929abfaa5f6332fd29603bdfc7c56cc785ea3ec0e16113e63d7af50acd73974431e9333c052139d7bd14492150962c86e1b28a23b2138076ed684

      • C:\Users\Admin\grubb.list

        Filesize

        39KB

        MD5

        bf2dc7fc7b6bacd0061c867d8ba643fc

        SHA1

        5b5b4fcb1555d21ae3661429c5b72fc781651a26

        SHA256

        bcdf0cffba34c802d9c229bf22c86ed6b7fc1678cf5ca5571a3f6d3da7df27cc

        SHA512

        42624f9257e3c365cabcf2b16b6497c6c74fc87ae35759c5a80b5b721aef3b21e61dd13a2d4cef3a53f989a40900e48694ee9ae118527103b74aac89d11eae36

      • C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe

        Filesize

        2.7MB

        MD5

        196d281a4f388e92238b816556864636

        SHA1

        c57c17f454944bd62802dd19d2020e26593258cf

        SHA256

        65f8e588f178a6a1ddaf6903eeab3b81bf4b854c3aeca313142cc0ccd5d4f07b

        SHA512

        5c85c3a3ecef5d77e8f0a994265d2eae1fd656324c52b725a3ab76e438d5fc2c725e9a9255c13c3381569dd8fbe32840f7d1e028fa477de50a15309511923e53