Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Resource
win10v2004-20240704-en
General
-
Target
1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
-
Size
3.1MB
-
MD5
0bd66a4871db12318da46f98b6124747
-
SHA1
a10871344d62ed3daad4cd38b6b2d82400bb8887
-
SHA256
1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c
-
SHA512
0fd97884ae4ab6c794ea0dd127eb53f0ed64ece1a2b861e088f047b34798b517c3f68029b13a628bbc98b8d5eda8ef43e65eae028f5e7421c7474af48f35aecf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpnbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe -
Executes dropped EXE 2 IoCs
pid Process 2936 ecdevbod.exe 3264 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWN\\devbodec.exe" 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSI\\bodaec.exe" 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe 2936 ecdevbod.exe 2936 ecdevbod.exe 3264 devbodec.exe 3264 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 740 wrote to memory of 2936 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 85 PID 740 wrote to memory of 2936 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 85 PID 740 wrote to memory of 2936 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 85 PID 740 wrote to memory of 3264 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 86 PID 740 wrote to memory of 3264 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 86 PID 740 wrote to memory of 3264 740 1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\IntelprocWN\devbodec.exeC:\IntelprocWN\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53d6e4a514517675a6a3c6d2bd4b91c5d
SHA14e0d92108edda58fcacde1f2ca0753b7203bfcc9
SHA256dd4a90db7e48bbdb62407069b6d18283f72ca472f27ddf7aa30d1c46d9af6407
SHA5125edaa3e383bc3d538393840d641b62072854f7f7cdb68322f28d0902fe477461bf7b1353920bbaa31fe772186664e67d0d5be8de7765019c9b3fd37367007dd4
-
Filesize
204B
MD5d15e02565947bba4756516614adc6f9a
SHA1e61dca8a457b52ebe990080402526c54d1f276a6
SHA25678da03ee6a91b98b8003b02a3d58e0527aff6efa388785051683e817fbd75cbe
SHA5123af52e841e5e36ed92bbdae129a8eb1f3da1591a3e922df19e6e769d98951737743915fc42f5cd1d68c45a58cd0bfdb2ccd25bb782220b35ef22d4d4da7b5b14
-
Filesize
172B
MD50833eee9c4bfc3acd1c04a1de21cfb39
SHA19d861154744dfe8766f3bfe05f50eba348924bc8
SHA2569fe4be092923ce2a725faf601ab8e0c2a4b6e23d227fa27fedfb0e60ba523bd1
SHA512ee3c1f22ceebde268ed194f0a78452c7baeb97ef402dba138ac1dac66cbb4ab597920637d889711b288cb7fb1301b5c49fbb38708e3f43036c6954c675ce705d
-
Filesize
3.1MB
MD5c20aa86efcbdfe1805edd9e941515f3f
SHA10a5945cca2c87eb4496f38c8933941eaa4a8d6ec
SHA256612045b44d0234335f4a5e336db0257fbee714a4d93fd04cc7f0cb6894f272d5
SHA51298c9136ee46cb70f0b73b1827db7fda7ea64595d56039759e9573f1d597607fd53ee85d92631c045061dd58d1b9d743edd5556f603960107a4bafb5d086dbca3
-
Filesize
2.7MB
MD5d3dcb611fa9e330974aacee73682f01d
SHA1a8019ee0a241f2d9683665a1806623034b2c2038
SHA2566bce6ae0aab576efbbd3cb55bbaaa424c91492900bae8d26dd7723d1161c5803
SHA51251d442fbef89c55d1f518675784449263cbc25eadd9425ba6e8b6b2c9715c5c2bfc08630727bc7f828e642c344bf225d380a4f02e88893e7fae94140e2fb9747
-
Filesize
519KB
MD5c8d3a18c8154e67e4da522062318a330
SHA1089cf21469f293ac6a1b7f926e365f7c44568cad
SHA256a5c597c2e7fb75f4e4e3b8cec40e866b81ca438ac829a932237ddc0fe1d00b7c
SHA5127786d5eb96d1ee1f18d82615152e152279e01c6b3bcf8b8cbb93e1ad47a745d81915efd0a44773ba04f51bda30d2a0bbd23df3717f07958726d859acc6b1a516