Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 19:56

General

  • Target

    1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

  • Size

    3.1MB

  • MD5

    0bd66a4871db12318da46f98b6124747

  • SHA1

    a10871344d62ed3daad4cd38b6b2d82400bb8887

  • SHA256

    1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c

  • SHA512

    0fd97884ae4ab6c794ea0dd127eb53f0ed64ece1a2b861e088f047b34798b517c3f68029b13a628bbc98b8d5eda8ef43e65eae028f5e7421c7474af48f35aecf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpnbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
    "C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
    • C:\IntelprocWN\devbodec.exe
      C:\IntelprocWN\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocWN\devbodec.exe

    Filesize

    3.1MB

    MD5

    3d6e4a514517675a6a3c6d2bd4b91c5d

    SHA1

    4e0d92108edda58fcacde1f2ca0753b7203bfcc9

    SHA256

    dd4a90db7e48bbdb62407069b6d18283f72ca472f27ddf7aa30d1c46d9af6407

    SHA512

    5edaa3e383bc3d538393840d641b62072854f7f7cdb68322f28d0902fe477461bf7b1353920bbaa31fe772186664e67d0d5be8de7765019c9b3fd37367007dd4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    d15e02565947bba4756516614adc6f9a

    SHA1

    e61dca8a457b52ebe990080402526c54d1f276a6

    SHA256

    78da03ee6a91b98b8003b02a3d58e0527aff6efa388785051683e817fbd75cbe

    SHA512

    3af52e841e5e36ed92bbdae129a8eb1f3da1591a3e922df19e6e769d98951737743915fc42f5cd1d68c45a58cd0bfdb2ccd25bb782220b35ef22d4d4da7b5b14

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    0833eee9c4bfc3acd1c04a1de21cfb39

    SHA1

    9d861154744dfe8766f3bfe05f50eba348924bc8

    SHA256

    9fe4be092923ce2a725faf601ab8e0c2a4b6e23d227fa27fedfb0e60ba523bd1

    SHA512

    ee3c1f22ceebde268ed194f0a78452c7baeb97ef402dba138ac1dac66cbb4ab597920637d889711b288cb7fb1301b5c49fbb38708e3f43036c6954c675ce705d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    3.1MB

    MD5

    c20aa86efcbdfe1805edd9e941515f3f

    SHA1

    0a5945cca2c87eb4496f38c8933941eaa4a8d6ec

    SHA256

    612045b44d0234335f4a5e336db0257fbee714a4d93fd04cc7f0cb6894f272d5

    SHA512

    98c9136ee46cb70f0b73b1827db7fda7ea64595d56039759e9573f1d597607fd53ee85d92631c045061dd58d1b9d743edd5556f603960107a4bafb5d086dbca3

  • C:\VidSI\bodaec.exe

    Filesize

    2.7MB

    MD5

    d3dcb611fa9e330974aacee73682f01d

    SHA1

    a8019ee0a241f2d9683665a1806623034b2c2038

    SHA256

    6bce6ae0aab576efbbd3cb55bbaaa424c91492900bae8d26dd7723d1161c5803

    SHA512

    51d442fbef89c55d1f518675784449263cbc25eadd9425ba6e8b6b2c9715c5c2bfc08630727bc7f828e642c344bf225d380a4f02e88893e7fae94140e2fb9747

  • C:\VidSI\bodaec.exe

    Filesize

    519KB

    MD5

    c8d3a18c8154e67e4da522062318a330

    SHA1

    089cf21469f293ac6a1b7f926e365f7c44568cad

    SHA256

    a5c597c2e7fb75f4e4e3b8cec40e866b81ca438ac829a932237ddc0fe1d00b7c

    SHA512

    7786d5eb96d1ee1f18d82615152e152279e01c6b3bcf8b8cbb93e1ad47a745d81915efd0a44773ba04f51bda30d2a0bbd23df3717f07958726d859acc6b1a516