Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Resource
win10v2004-20240709-en
General
-
Target
4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
-
Size
3.6MB
-
MD5
77c84bcdb8342762271a6bad343f6b72
-
SHA1
112ce87c47a648954fb86dd02978017601fa0912
-
SHA256
4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039
-
SHA512
f0925264c81568ae5300fb186ce1f56bab20bbc68f864f7d398d1df40e216ab005462558cc252ea7ea122ad469e264ccc9610505c27100af01426aff07b29ddf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe -
Executes dropped EXE 2 IoCs
pid Process 1572 ecdevdob.exe 3224 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\devbodsys.exe" 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTR\\bodxloc.exe" 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe 1572 ecdevdob.exe 1572 ecdevdob.exe 3224 devbodsys.exe 3224 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1572 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 87 PID 1692 wrote to memory of 1572 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 87 PID 1692 wrote to memory of 1572 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 87 PID 1692 wrote to memory of 3224 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 88 PID 1692 wrote to memory of 3224 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 88 PID 1692 wrote to memory of 3224 1692 4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe"C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\FilesP0\devbodsys.exeC:\FilesP0\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
525KB
MD550aa6bee3d2e8e5a31452b940658dab9
SHA1fb60967691aa2ff769740e0abc6cdbb6ccdcc8f8
SHA2563bb90b2609f8e20e3947ea98f051a1b46819148418a83a47bf730524cacbcce9
SHA51224cc2510c0b4465ed3c713e6dc7f3e38a3b9567b6f88a7cae81e1aefb4e5c33aa40d774347ec165252ed6d76d174b8229ee55e0982cf02c19d3f04a9966661c3
-
Filesize
3.6MB
MD551ad7ec32ca540378f89634e44b99917
SHA1009cb69856cac31e53d80637f09a6b511aba11fd
SHA256e921bf1793edf9e4321e9515484b27cbc6cfe2fb01ba28641d229f658108347a
SHA5128619dc707cc31f211de3362d041ce071f91aa4b8830f7b8df0fdead3339caea86967c23f47371baabdaee1500de6ac9725ffb24f6189186ec9bccd6a6075d132
-
Filesize
10KB
MD5211c211281a83cae04ba8989e177223a
SHA12c6a912a90ce71ae095e8f16a97222e28964a271
SHA256c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b
SHA51210dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb
-
Filesize
1.4MB
MD522283b11de359826c014e1871de3f383
SHA183b42d1f4680b1d6b6004b23307e805595a40746
SHA2563f456dfc167a113cbb554919c1f3a14a0b3089fb626ee0c24b92baa72a8fc91c
SHA512970605edede5533a7ac90ba06b018b29b7c393a7f3191d9cc124f450119dd2f38d76eb88c65c88b1af32fb727404fa7f48ab963799e8b603b42ffe472e976244
-
Filesize
204B
MD5590bbc03bea59ca5eec167e87d81ec63
SHA1286454970195b190514d3c52badfafb4be07a082
SHA2565eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822
SHA5125153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c
-
Filesize
172B
MD56a64c9ba46a6f32dc6b2aeca90b309cb
SHA1432e0de09b22ac58f64943e0160910909380f96e
SHA256c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7
SHA5121246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda
-
Filesize
3.6MB
MD57b944908946614b731d06c0ce28e132f
SHA1287034597413a005ba0db6d970de0b47ccf7c32a
SHA256a6449fb97ff90bb8877b46d0835f4a71e56ba60f9d44ad3a13f913329bff56f2
SHA51280ffef77934f2a9161937841a2136894a10a4e32357d27758ab9c28705145fd44f642af11394c6e79f0483b18d0fc8851312cc685ff7e8d03d893723e3d68394