Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Resource
win10v2004-20240508-en
General
-
Target
1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
-
Size
2.6MB
-
MD5
0f313eb860c87f6747ffb89aaef74c64
-
SHA1
4aee1be53cf5853337445a419d65b13621bf25a1
-
SHA256
1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747
-
SHA512
b35da1b690d99b4ae944a024b7755039dfef3ecff2c60bd594cb1dab06e58fd34105e8795318069ebd0f36b72ae51ed1d95a7da881f5ac0169306ab32359c673
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe -
Executes dropped EXE 2 IoCs
pid Process 1184 ecdevdob.exe 3688 xbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeW8\\xbodec.exe" 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHM\\dobdevec.exe" 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe 1184 ecdevdob.exe 1184 ecdevdob.exe 3688 xbodec.exe 3688 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1844 wrote to memory of 1184 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 86 PID 1844 wrote to memory of 1184 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 86 PID 1844 wrote to memory of 1184 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 86 PID 1844 wrote to memory of 3688 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 89 PID 1844 wrote to memory of 3688 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 89 PID 1844 wrote to memory of 3688 1844 1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe"C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
C:\AdobeW8\xbodec.exeC:\AdobeW8\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d8728d6f8e024ab728cd38808ee24058
SHA148cda8ea46be5748d409a8e305d45d9ecc37ad61
SHA2569b73b7b1997081dd2afc2e252c4c9dbc060e3c4e2218e3fe6829276e9e2d1b83
SHA51210ce44785e8a0328f16eadad8ac70f88aff80264eadc559b99951781c4e3bfe591ed02d0bcbe95e8fed878983217c5d6a7c29be71ef89abf155d6c31e805ddc1
-
Filesize
200B
MD50740b0c2b0c3d9f98231e949b28efd5c
SHA18d746827579afb6d7ddd5e78700b8c089bb97770
SHA2562d18b32719e2a871e5baff85312cdd7fb063c07a72caa919b95ba65786b6e2bf
SHA512f7b5dce437d1f5beae5540c94b31ff1c911c2f1b86f45bf4042b3587e946fbd3a87a76c597fed9a60d450ef58139bf6ddda2b35a1b8d1d0665177c4592a7a42c
-
Filesize
168B
MD5f8258b0e80b8d34b649b09e5cff172b0
SHA11807ba777903176b2d6565d10318cab25ac826e7
SHA256ca5fa9c9c6e732246d7315806356fe0e9e5303e4ea5aece6c1a2e257b7ee2816
SHA512bc3345e723c6c96e79211809fff9bf9fc2e96f4ce8912cf17d83730c9f74e4e364973c4e2391faaf83d9cb9cc4142a130d24080c4971eb181ac71a92ffc503f6
-
Filesize
2.6MB
MD52c9eb9f0a3aaf2b1e16edee8dddbe0f2
SHA1c5d011b37d21778734250cafa5aa757905405bfb
SHA2562a7deaab9f7b087de710a6f3721ed57b9f37ca052eacc689f88c5a035410d8bd
SHA5122a36a8b9391a51095b74778d56d82f08cee5870d61e4b4020c5a971c7ce01d7063eaf43f8e1eb881d6174d8d6144785a4876223576546b2293d0e3f9febba95f
-
Filesize
2.6MB
MD5ce6443f85384e44847c7e3d326ebb3f3
SHA1bd56fc05a96f74cb0236da934549e8201d480d88
SHA256c93d329d4221672ed4934b99db4ce32c6373b7e85f181b979dcdf473bfedd850
SHA5129964a59868b5f7e12c465cfe2066762f548503ba52c4350d29c210d1f078b75f8701b4a912b57fc2fce089a5b326d074149004f5db903cafa19c5de11e6764cc
-
Filesize
973KB
MD59f31003fddf65b850968ac1e9e8f5bc8
SHA1a00af3854436c93cdc028a26e355356c847ef063
SHA256136058570e51a87551dc67d0bc155c814f5b5d026cfaa1600114af1fb897690b
SHA5126d82bd39da8c77a6ccb6bc5ebf218d4e6a76eece97a21503c3d705af8501c1b8a23ab0e2b366a4992d555d7d736645fbcd8f1d031300308ba352fc606acb2829