Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 02:14

General

  • Target

    ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe

  • Size

    4.0MB

  • MD5

    9bc09572edf757e9a3184fbb78436b96

  • SHA1

    8b088a7f3c01a82827765cfaa0e8f486a809ad1e

  • SHA256

    ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f

  • SHA512

    ad6c60e988ce92ff8661ad90f77d1b1ebd2543f15d9f7df463de608916e21ea3bd32794a751b1faedbd7d77299485afd039998ac3250a55a0feb66f38cbfe470

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:392
    • C:\AdobeGT\devoptiloc.exe
      C:\AdobeGT\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeGT\devoptiloc.exe

    Filesize

    4.0MB

    MD5

    96f03c2ad236827c6cfe8e11baeb94e7

    SHA1

    55ef97b435faa51dfc40463a8eab0b3f2e5ac6ae

    SHA256

    c9c770a78734e63038abcf1a4b1f6e9faa7cc0e40dc7ca6955b7c4e208440a36

    SHA512

    a5482bf84a6277a6e427219af419c492de5de662d22600cab31a6d4d62254cf3c65e5777732b5a4a2c794f68e0400209d83e9a6d2a874511b347fbb66e2af3ff

  • C:\LabZXW\dobaec.exe

    Filesize

    29KB

    MD5

    aedec4c6b0e5bfb94bce1bb80817c9ca

    SHA1

    d8888798c78356a9f59d73c5b7227eac8a3d3ff1

    SHA256

    ba0e29f0dfc36a71ea3c2a65261c8cfd2ec2da59ed3290df3be385d38f53f535

    SHA512

    2e25b0f7a806f50159117897913f424cd75f62e46f214aecafd047faa007c7aab75a96f05f6d27efda1a4a5d84e18c35a5f8dbb4892c3345823d5344680f505d

  • C:\LabZXW\dobaec.exe

    Filesize

    4.0MB

    MD5

    1ee5a067c2f759aa71d700305d8700ee

    SHA1

    10b525492964bc785b11395a8a3b636d3ae78889

    SHA256

    15d898f187a889e72b342a9986e524a91ad607b7cafcf321540b6c7d89d14f8c

    SHA512

    21dc90887ec0af7af0296399dbeb6232fda73adef9cfa63e76f8919e1a1485370ebe2705101fb9066a632ed911c45f318cf0a4f47243b34272f90a28f37a3962

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    597b9446bfc7ec40bc9c604ebd714c80

    SHA1

    d6cc0ff5b37cbb4cc156f162239dc01a89dbe142

    SHA256

    a60517d3fb6c2ae314976db43a7155b36e092f19b4b3a8139befeaa8df9c8b60

    SHA512

    d50eb735d8e9211384f97d64320fe8c88c75217a3640182371717715e496a70f134d67e70e0ac6bc4236a7d6bdb2e035d93a4b3437d3f892dd1c7249eec17dbe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    0b72106db47ed82ebda71f4c55625c76

    SHA1

    90b8f28ace0bf8ace736e2b1a51e953ba863754b

    SHA256

    bf2042f9a1fb3d0550afe8e16f586325aadada496eebfdb3ada5c2628a96b92a

    SHA512

    b1ad0218ac4ee007f8edcb67c2f5ff8d7bd51e3887677d1cca48bdc3e3671045a8c317819e72965eb97a798324bd4e1e9513859644be043e47b7fda680d25ae6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    4.0MB

    MD5

    ad804d7e1c4c9696688696156d78749c

    SHA1

    3ea040f5744a2ac1385938c38b81557c46fad153

    SHA256

    9596c24915652d6c7d51af8c6d67c04ab9932304ce7609878e1f2cdcbd605a93

    SHA512

    94aa2507ff77ef7ae51695184b899ed9cf0a163a43c877f2f2c448fee77f67a6b2fe55b3ad759d1a66f21cfd06aa18bdd5dfb95aaf57ddc8e1488af8a504bc74