Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 21:52

General

  • Target

    56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

  • Size

    3.6MB

  • MD5

    813969ce4839a1f38c8ab3712a7c1920

  • SHA1

    eda45ba1c18cc53d6c3dab7d3a1d05af1288726f

  • SHA256

    56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8

  • SHA512

    8157882a2d7ae3d7b7a27f96a3847f37d78d09d9c3df784d781f1065eddb9aca1a759bbb8875c196ce2b694ae4e839317e7d6571c8ff942e67ade498b5e5d1fd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpwbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
    "C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4604
    • C:\SysDrv3H\devdobloc.exe
      C:\SysDrv3H\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintNV\optidevloc.exe

    Filesize

    1.9MB

    MD5

    c29ca554b2d51bc91a74bba218cadf6b

    SHA1

    e54997d90f515d594c3ace31712ab3912d6f886a

    SHA256

    09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

    SHA512

    02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

  • C:\MintNV\optidevloc.exe

    Filesize

    3.6MB

    MD5

    969dc01a7855e3a1d0748405c296feda

    SHA1

    b442e921f2206601b7f367d485cfc628bf2953d3

    SHA256

    27967059336a743d8b5a7b9791e0fa9ce42a9bf8928f73c24fd2db06c1f2b276

    SHA512

    290dd39a0d1fd51b918eff4e12de3b33f2718eca6e9bb4d3bd30ac3cec56672d0a8b46315225f8b187ecaeffad879885e94f4406e0d393fcbd9de855ef05c520

  • C:\SysDrv3H\devdobloc.exe

    Filesize

    3.6MB

    MD5

    bc0aca75449a1816ed7a804094e9c458

    SHA1

    67ec06d37c518056cf5dc9adb89ffea9a14362ca

    SHA256

    9dd0d8be1bb25437c30f5a063124b6b51792e22288bc509e56fe4b6418d952e5

    SHA512

    54e871df2bdcb07b4ee8d376aa995b9f33bb464c9cca80b73d6ce401c2f6118fc78d1cd32ad36bd045d4fafb9949e38669ac513f8f69e12781d4437d13c1bbe2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    29068548de3b60bfa54f1cc088304651

    SHA1

    0383147cfc14fe7f1b96ac330c9dc63043efd3a2

    SHA256

    c97ecf292abd5775e479a9aa02fcca427e959d3a97eecf7cb55d5abee6f9109d

    SHA512

    bdb5fe77c85ba27a6ffa019282ea102117bc12004e7d5e591b3eaf77358daef8a778bc09fd06f636fef4c1eb796cb0d27620d23791e6b328c9d9a37f33ca54bf

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    0c1753966093fd04c3a3c8196f2510be

    SHA1

    21aa37dcfbd1b8da3fd707b0d78b21e5b6feaf6a

    SHA256

    59d7cfeb080e642f8e371e970d5fae798a5ae04717ec566fb42addb2379d2c58

    SHA512

    a140775515ca960da3a772c78e2dd113e3ea5c077114088c897b60aa2169bafa3c6edf2090c74a6338b318498486908b7fa57de71bd46271c3b66cd3e4da14f7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    3.6MB

    MD5

    53825dd0b3fde04873a3c5f54a85bc8e

    SHA1

    ed3ce6d7228718496865dcb524b5c320b429675f

    SHA256

    6c5da1d9b293e9d9aed4931b987c01882a7cfe8695da5d1c69749d03f14fafe4

    SHA512

    d4374daab164967805afad61eb8cc898408fa665067da09730e752a2c04088df5c999da492da3efc132ac0dd5798a2956c9ce92183210271a0747789cc136c79