Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2024, 19:05

General

  • Target

    1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe

  • Size

    3.1MB

  • MD5

    2ea85fda33ced70d1361dd6792a59921

  • SHA1

    609d5b0d856588030255b546004e83f0814364a4

  • SHA256

    1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b

  • SHA512

    b668536d040d8ff17ea9b1e16d81cd93b6c23aada09d3399d0f6bfe2588e459972985361d117314b70671315c7996ac06d3c45d5e958a5186dff4b0bdf8e4645

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp/bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe
    "C:\Users\Admin\AppData\Local\Temp\1521373e2c5248006f64369d85fa7648e6a8f433bad55930e1df661e83dc851b.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1624
    • C:\SysDrvGV\abodloc.exe
      C:\SysDrvGV\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxJA\optialoc.exe

    Filesize

    1.4MB

    MD5

    a53b80fec6857cacfe2b783197e3646e

    SHA1

    ac1809fb98810f6e93073715fc4e740176400098

    SHA256

    3b0de3b4625c2a95e97bec50c4163ec68d2f03a09bb3f7d6740c143e2067afc5

    SHA512

    711c8de7624e1bf69439abb51fc002cc458e7f3b229f7ad1918c9e03459c2d70a9be5b39cb4a5aed037e524bf53869bb0f45d56ddf8227dd592d597a11b5e63f

  • C:\GalaxJA\optialoc.exe

    Filesize

    856KB

    MD5

    15197d13f492d8b3fb03c9135799db28

    SHA1

    1061eded8781a55acffb6a20771c8aab2c5e5e8a

    SHA256

    fe97cbf95344dd4e1497abdaf17740d60676d12eb2117c184a636b8ed9b3ca9d

    SHA512

    24ae5d79184ab16713853868688b6f3f19639ced22c1c340c4343a1e11d5a4eb4d671a9ded5f9cd057965828c402025102277e07864be689fa928b064df78257

  • C:\SysDrvGV\abodloc.exe

    Filesize

    1.4MB

    MD5

    6c2387b9059399872231953a12d92032

    SHA1

    c898817bc6479c10828f7c83215d1c026311afb5

    SHA256

    930cc7def7c5acef55f98ddfc11c4764f69d82908ef5be0fad081df9aacc0dff

    SHA512

    42a4601b51deaafea57e806baa8472f3c903445ad82691ad1fefe4ec7624fe768a293c143f91c260f580ff2a5e5c8a3967cb09b70dc3bebee0f463e82912c674

  • C:\SysDrvGV\abodloc.exe

    Filesize

    3.1MB

    MD5

    8dfe3d546ac2f4a0b485d72d01745bdc

    SHA1

    81cae2e714b788fd10267fadf91165b4eb2885f8

    SHA256

    c3da718f5fa7d62ac0c4c8fa8aa9775e1f7281e92bdafb53584ac29f18b30ca3

    SHA512

    7cdeffbf238cc18bf236c481e6de1d75db9a5019ec25f2af6c4e81302a4c1aeec4d85480dfb358640abdc9fb59c6f2f7d219d27566afde8f6b4e14d23f1ec02c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    99877872ae9bcef3467f503ff2b20632

    SHA1

    60fcb2ed0a1a0f115441296915bd65bb28c972b1

    SHA256

    8e9771dee8d46a17d6dbe71450bf6168d8503fe5f323ef47ee11dbc3c82b3741

    SHA512

    d53f179c5f359dc89c8c14b25374e3236452a321b4c006d22a4ef6931094b91e792fe2f7c131545d1834a3196a1e7025d28cb8c9b1d81b0db452ca48943ca323

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    a98765215de510ead84a4afebc2fd8e7

    SHA1

    33ec00645aa2c11ad0d0cd0a21ecf7e9d43a1eb3

    SHA256

    4b1a7a62ad8440f46206832e0b0ec6e63c1ba2985590c352b13849ee924687e8

    SHA512

    b902bed8e2d991d0e93f0b8fc00ea9f56f09934caf17c41dece13340eacebee977cfea55401d75476fc474f82785d31e0f258d75b47d573daf225356a2c007fa

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    3.1MB

    MD5

    52eb13fe7ac7e601c95ab00e9f7e3930

    SHA1

    f9de090ec1a56f2bcaac74bb2b277ff0a15495db

    SHA256

    5265bbe597c6d60e9716170e523575782678784a583e6a315d0b687607177dba

    SHA512

    c38a53716c2cf627a2c246fd93cd12ac8126039260c7aedfb7af31d4c4568e869a1d345c0bec2547abcbae78fbe2386ca9b380ac033a02151ada34114d0a6561