Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
Resource
win10v2004-20240704-en
General
-
Target
1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
-
Size
3.1MB
-
MD5
2ea85fda33ced70d1361dd6792a59921
-
SHA1
609d5b0d856588030255b546004e83f0814364a4
-
SHA256
1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b
-
SHA512
b668536d040d8ff17ea9b1e16d81cd93b6c23aada09d3399d0f6bfe2588e459972985361d117314b70671315c7996ac06d3c45d5e958a5186dff4b0bdf8e4645
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp/bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe -
Executes dropped EXE 2 IoCs
pid Process 1624 ecdevdob.exe 4852 abodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGV\\abodloc.exe" 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe Set value (str) \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJA\\optialoc.exe" 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe 1624 ecdevdob.exe 1624 ecdevdob.exe 4852 abodloc.exe 4852 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1624 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 85 PID 2460 wrote to memory of 1624 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 85 PID 2460 wrote to memory of 1624 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 85 PID 2460 wrote to memory of 4852 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 86 PID 2460 wrote to memory of 4852 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 86 PID 2460 wrote to memory of 4852 2460 1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe"C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
-
C:\SysDrvGV\abodloc.exeC:\SysDrvGV\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a53b80fec6857cacfe2b783197e3646e
SHA1ac1809fb98810f6e93073715fc4e740176400098
SHA2563b0de3b4625c2a95e97bec50c4163ec68d2f03a09bb3f7d6740c143e2067afc5
SHA512711c8de7624e1bf69439abb51fc002cc458e7f3b229f7ad1918c9e03459c2d70a9be5b39cb4a5aed037e524bf53869bb0f45d56ddf8227dd592d597a11b5e63f
-
Filesize
856KB
MD515197d13f492d8b3fb03c9135799db28
SHA11061eded8781a55acffb6a20771c8aab2c5e5e8a
SHA256fe97cbf95344dd4e1497abdaf17740d60676d12eb2117c184a636b8ed9b3ca9d
SHA51224ae5d79184ab16713853868688b6f3f19639ced22c1c340c4343a1e11d5a4eb4d671a9ded5f9cd057965828c402025102277e07864be689fa928b064df78257
-
Filesize
1.4MB
MD56c2387b9059399872231953a12d92032
SHA1c898817bc6479c10828f7c83215d1c026311afb5
SHA256930cc7def7c5acef55f98ddfc11c4764f69d82908ef5be0fad081df9aacc0dff
SHA51242a4601b51deaafea57e806baa8472f3c903445ad82691ad1fefe4ec7624fe768a293c143f91c260f580ff2a5e5c8a3967cb09b70dc3bebee0f463e82912c674
-
Filesize
3.1MB
MD58dfe3d546ac2f4a0b485d72d01745bdc
SHA181cae2e714b788fd10267fadf91165b4eb2885f8
SHA256c3da718f5fa7d62ac0c4c8fa8aa9775e1f7281e92bdafb53584ac29f18b30ca3
SHA5127cdeffbf238cc18bf236c481e6de1d75db9a5019ec25f2af6c4e81302a4c1aeec4d85480dfb358640abdc9fb59c6f2f7d219d27566afde8f6b4e14d23f1ec02c
-
Filesize
204B
MD599877872ae9bcef3467f503ff2b20632
SHA160fcb2ed0a1a0f115441296915bd65bb28c972b1
SHA2568e9771dee8d46a17d6dbe71450bf6168d8503fe5f323ef47ee11dbc3c82b3741
SHA512d53f179c5f359dc89c8c14b25374e3236452a321b4c006d22a4ef6931094b91e792fe2f7c131545d1834a3196a1e7025d28cb8c9b1d81b0db452ca48943ca323
-
Filesize
172B
MD5a98765215de510ead84a4afebc2fd8e7
SHA133ec00645aa2c11ad0d0cd0a21ecf7e9d43a1eb3
SHA2564b1a7a62ad8440f46206832e0b0ec6e63c1ba2985590c352b13849ee924687e8
SHA512b902bed8e2d991d0e93f0b8fc00ea9f56f09934caf17c41dece13340eacebee977cfea55401d75476fc474f82785d31e0f258d75b47d573daf225356a2c007fa
-
Filesize
3.1MB
MD552eb13fe7ac7e601c95ab00e9f7e3930
SHA1f9de090ec1a56f2bcaac74bb2b277ff0a15495db
SHA2565265bbe597c6d60e9716170e523575782678784a583e6a315d0b687607177dba
SHA512c38a53716c2cf627a2c246fd93cd12ac8126039260c7aedfb7af31d4c4568e869a1d345c0bec2547abcbae78fbe2386ca9b380ac033a02151ada34114d0a6561