Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 20:17

General

  • Target

    038667b9ff12f0fb52c5d2eab925c830N.exe

  • Size

    2.6MB

  • MD5

    038667b9ff12f0fb52c5d2eab925c830

  • SHA1

    108136bd34f9d12300c6c4cfd8293ca6ab64f6e8

  • SHA256

    87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b

  • SHA512

    09f5cb3c90589cceafaf2008ba95fcb8675ec2bf80da3efb8de8e96baf9dc666f1cc769f79bf335ec6d0762ba98208ee73a60910604df0095509bef55a043f5c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpsb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe
    "C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2168
    • C:\SysDrvLX\adobloc.exe
      C:\SysDrvLX\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintIF\bodxloc.exe

    Filesize

    2.6MB

    MD5

    bd3a03160ba328baac42c6c385ea4cbc

    SHA1

    dc50f0f35901023b593c1053f61541a43689146d

    SHA256

    e5bbfd53ce0924f3cfeaed96a5692a436ffcf199e8f51b91d546a97f8c92a73a

    SHA512

    1a9b5d52efa14adeaea97ba9912dcca6b4c1c453849dc5df8e70b232cd6264e99df393e812462ac5df9ed28142b964c6ddf411c277502979b0b9357e002bd9ee

  • C:\MintIF\bodxloc.exe

    Filesize

    176KB

    MD5

    d71c487da8f1e8c45d3607408ed01b7c

    SHA1

    5c16eeb4c1514529a0ddd6e60b1cccccfc8fb59a

    SHA256

    54e211425f8e0601dfbdc8dee18f20a3b18daa99d828e5639354a1c9a04b8afa

    SHA512

    925fced28c33622427c74e623db9f705fa6767aab6ab21eeac18c8ef3abb9468740bbb2f10047eff0ee11a74bfca2d15ad8cf78fd05d3b2cc58527b5918839d5

  • C:\SysDrvLX\adobloc.exe

    Filesize

    179KB

    MD5

    bf71ccff1edb7ebe7864719a59242753

    SHA1

    414fbca2dae2f26f15e5f25177e9b85ce2ffdda8

    SHA256

    3d3072d4afe057ce10151ad8b3992a79747277d4684a9ea4822514ab17665479

    SHA512

    d648674f41d48d4b110d4cc743eef9026ea990dc4b5f5b63d0507bd3e6257e5a44ed758794700f7bf03c546f7cb4f0523a3c50b27d9b8ef6591f3be16c66bcee

  • C:\SysDrvLX\adobloc.exe

    Filesize

    2.6MB

    MD5

    d5a9e475202bc0c277017c4e6fd02733

    SHA1

    7acfdd88c73f232369d2753852b835d6619753a7

    SHA256

    76858cadf7d1f9a5fcc07613d1675bdc8f58808a8eda22f6e2e17230c8277dca

    SHA512

    dbd8b28b26c724aebc241a0c9e2b6b174ffce74e979220dbd0e0b8515e3583acfe44fe4671cefd1fca7c10c5d560e35be7ccd1594db9bda1c88f0f7d9cc493a2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    4ad4b7e73efb9f4fae8fcfe85281d35a

    SHA1

    1091904bb7cfbb84ecb731603f2e87acbc1904ea

    SHA256

    40cbf09f7c5241578aa1cefbb3c5958be80ba5002ffe3bd30401c41851581078

    SHA512

    754837cc6529f8286d6e4edf15a4c5733e89186e24a941e46587f81e419972d150b54f80c9b8f896042823a0f7c3a07b4130dde90e5919b9c0aa67f136abe5d3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    d2cdfe430af88a1e5d756a6322c3ddba

    SHA1

    4d524eae239c5ff6987a5e9b1b8230089a091923

    SHA256

    750ccaf30a6d7725a371e7448707bcf39d4501ad0a859ba112e68eeabdee5338

    SHA512

    ec8583a3ea5b58af3605a1671fda6f5d97fd0d8498af14eea15349e456ec20ab7a69d21a4f3eff7e4df67e33b56fb27bb50c7b3f8c3dc473fb08810e8af12af9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    a9cb2a669c6a31feba6b6429834025ac

    SHA1

    9e419ecbbac627945558c31063e16de110ecea7b

    SHA256

    0b26c1df3bf9ab7aedb157b55771dd27611132556149c1b8aac9002be9d5b3df

    SHA512

    36e1a8411377379ce531f280fc983cb15d5a42c205aa764a4c2e3b52ef2617f757425d7d6fec10cd1c0c6eef38e9b0093415515b42794823ad67d17d68ff98b6