Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 22:01

General

  • Target

    4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

  • Size

    3.6MB

  • MD5

    77c84bcdb8342762271a6bad343f6b72

  • SHA1

    112ce87c47a648954fb86dd02978017601fa0912

  • SHA256

    4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039

  • SHA512

    f0925264c81568ae5300fb186ce1f56bab20bbc68f864f7d398d1df40e216ab005462558cc252ea7ea122ad469e264ccc9610505c27100af01426aff07b29ddf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
    "C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1572
    • C:\FilesP0\devbodsys.exe
      C:\FilesP0\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesP0\devbodsys.exe

    Filesize

    525KB

    MD5

    50aa6bee3d2e8e5a31452b940658dab9

    SHA1

    fb60967691aa2ff769740e0abc6cdbb6ccdcc8f8

    SHA256

    3bb90b2609f8e20e3947ea98f051a1b46819148418a83a47bf730524cacbcce9

    SHA512

    24cc2510c0b4465ed3c713e6dc7f3e38a3b9567b6f88a7cae81e1aefb4e5c33aa40d774347ec165252ed6d76d174b8229ee55e0982cf02c19d3f04a9966661c3

  • C:\FilesP0\devbodsys.exe

    Filesize

    3.6MB

    MD5

    51ad7ec32ca540378f89634e44b99917

    SHA1

    009cb69856cac31e53d80637f09a6b511aba11fd

    SHA256

    e921bf1793edf9e4321e9515484b27cbc6cfe2fb01ba28641d229f658108347a

    SHA512

    8619dc707cc31f211de3362d041ce071f91aa4b8830f7b8df0fdead3339caea86967c23f47371baabdaee1500de6ac9725ffb24f6189186ec9bccd6a6075d132

  • C:\GalaxTR\bodxloc.exe

    Filesize

    10KB

    MD5

    211c211281a83cae04ba8989e177223a

    SHA1

    2c6a912a90ce71ae095e8f16a97222e28964a271

    SHA256

    c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b

    SHA512

    10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb

  • C:\GalaxTR\bodxloc.exe

    Filesize

    1.4MB

    MD5

    22283b11de359826c014e1871de3f383

    SHA1

    83b42d1f4680b1d6b6004b23307e805595a40746

    SHA256

    3f456dfc167a113cbb554919c1f3a14a0b3089fb626ee0c24b92baa72a8fc91c

    SHA512

    970605edede5533a7ac90ba06b018b29b7c393a7f3191d9cc124f450119dd2f38d76eb88c65c88b1af32fb727404fa7f48ab963799e8b603b42ffe472e976244

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    590bbc03bea59ca5eec167e87d81ec63

    SHA1

    286454970195b190514d3c52badfafb4be07a082

    SHA256

    5eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822

    SHA512

    5153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    6a64c9ba46a6f32dc6b2aeca90b309cb

    SHA1

    432e0de09b22ac58f64943e0160910909380f96e

    SHA256

    c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7

    SHA512

    1246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    3.6MB

    MD5

    7b944908946614b731d06c0ce28e132f

    SHA1

    287034597413a005ba0db6d970de0b47ccf7c32a

    SHA256

    a6449fb97ff90bb8877b46d0835f4a71e56ba60f9d44ad3a13f913329bff56f2

    SHA512

    80ffef77934f2a9161937841a2136894a10a4e32357d27758ab9c28705145fd44f642af11394c6e79f0483b18d0fc8851312cc685ff7e8d03d893723e3d68394