Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 19:18

General

  • Target

    16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

  • Size

    3.0MB

  • MD5

    7ac408baa8038cfc6a553f93a168b35a

  • SHA1

    387099e5299f285ad0ece8ed2d67aa4fab0ac31d

  • SHA256

    16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd

  • SHA512

    c5724a3dce76482fa15a44e8854c40b211ee05c0ae18b3f3ea2282f8fd75a8aeb23c36abf7046e98f4ed6ed0aca18f8060bfb589787a097b5b203f54c2548d80

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNX:sxX7QnxrloE5dpUpTbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
    "C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4596
    • C:\SysDrvPC\xbodloc.exe
      C:\SysDrvPC\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZDD\dobdevec.exe

    Filesize

    3.0MB

    MD5

    917506bbc83d4e952fdb5445644b1f72

    SHA1

    789e00616c1928b303baa5b544002f791627b9b2

    SHA256

    c5125a055cda0b02cd2f07c58c6225f44ddf625ef7b4b5d53f624a82b714c7df

    SHA512

    10a79afd0ccb22abbdfc1654f2b94ded73bc8a826d6838305cd0d79162a30f8c7d3738f6a4c20196c4f1322b747012bdd629b808c89fdb5b29e3d7248c9b5b27

  • C:\SysDrvPC\xbodloc.exe

    Filesize

    3.0MB

    MD5

    7112b07c7fb918981734cd8daa650299

    SHA1

    3ff8fa8ec3fad4f900decf405c1478d58e238ae9

    SHA256

    b7e476f78135867a2b4da94ab5c9c8aa6aa60785e5460962f0160ebc860ba64a

    SHA512

    cf7326b684e84779ca4968d74f0a1601159b6de6eca47f0ce1bdc6796ce37ba7f64424ebe3270c4fb56c4c1a1c3f95493931113e9ac065c1b266ac76c4a5a95f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    b8c14a5de3af68d933947e498827a3d7

    SHA1

    a1275df5bdac01f89696a2b35c8e507312655d23

    SHA256

    1edb1acb583d9e959083a6d55ee72fe2502c37b57bc228ff887097ef88848b5c

    SHA512

    9cd32d14e4b2506c6cd0565041f0200fc03468868603c39b493b208671e48640a53e8b7767be45c226f2e82513619be3a850f7328b9427c3e28b6b2d7e8f8152

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    1db5d494f7655a8e50e1a5ddcc51ae8e

    SHA1

    c4bcaa8c50503b57bac271c51153e3554dba4bdf

    SHA256

    3eaaf656e7a5481f915d6d5fb5036459d773b014ca6837893583a24c631e7f1c

    SHA512

    48882aded34aca0742298b071962d0064cdefeea7eab91786cdd02444648f9fbbf2a6bcd8296bf37a1ccf560c03b144bae733c4e70e9ce95a17f8cafc23b95e2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    3.0MB

    MD5

    b12cd42f3d561af651dd13734079e811

    SHA1

    f1a80aa74ff6d384e6545e29a201770138824188

    SHA256

    d92dcd9ba3c8b9f5d2e8537f28043d53f73b8f67c00ca988e819e0b14694e881

    SHA512

    331a5dfce6a3fe89688464a1ec7474364e464bdbbd5e86f76a930ca11d2e99a76b2146f99a0360903c5bd1592856ae8dafd616178e22761a00fbd2a5966ea26d