Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 18:52

General

  • Target

    1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

  • Size

    2.6MB

  • MD5

    1ecc3ef8dc6e4b2d727bca37deecd966

  • SHA1

    8de8318b44891e2cbb7e5dfacc43de85b2c0c6c7

  • SHA256

    1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365

  • SHA512

    b3beb79c43805e2a35d6cd3365537f7fca9ee5177ec39afb449b9a2c092d0534a51cde1c404172562eeb9d2185038a5c8b349f5d9e454ff3db22f8205ba30e7c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
    "C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4100
    • C:\IntelprocLX\aoptiec.exe
      C:\IntelprocLX\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocLX\aoptiec.exe

    Filesize

    306KB

    MD5

    792917757f09453091117d48587f8cea

    SHA1

    2a1ecc374cf2b9516a49952c2b53015d83888e0f

    SHA256

    82febcbeda374d5fff4de588530aae48460ca295731257fa3dcb63fef9d5ed14

    SHA512

    c72c387a3c9d38ace2b2a5e1aae31d1b8df96dc17fc714f799d7f771ae61046c608c47bff93624c6940fe3bdd07442b2e747478b483eabeae4a342fcabd4e13d

  • C:\IntelprocLX\aoptiec.exe

    Filesize

    2.6MB

    MD5

    6716c7fb0a7e846505b2981590cc7e79

    SHA1

    2b3abcb88bf1a4ab286eae19ae214a4a1a952dbf

    SHA256

    131a950b3298f40b1450215a70f085f9e6bd846ea64130cf26ed26551f2c2764

    SHA512

    f7a6bd43d2bca27d054aa440417704639adbc3f1a201252d418bdd7d3d53ae88cdfd29cb31cf2388937588d78930c7256e898b14b5e0faec8958f38f53f6237d

  • C:\LabZRS\dobaloc.exe

    Filesize

    2.6MB

    MD5

    4dd8fab8e7fb20457015fd0d1db8f6f5

    SHA1

    bdd51330f005418528d4676c8e5e57d7514060cf

    SHA256

    d3740d24c15870222c309d7c35e4bbf119f772ae381ccd9ec0e7b73db9b6533b

    SHA512

    b623f1f0fe0c06a0a1fa9fdc31a6a54d9170f5834de3b376ef8249784418c4c7df9fb8011681a2d7ff45e8f806d17c371be73cb608e193adc82b49b312c21a99

  • C:\LabZRS\dobaloc.exe

    Filesize

    1.6MB

    MD5

    9dc4c15c4aef1b34ec6a294cc966c132

    SHA1

    21fde6291cee53ae93475b6b26aa4f4a81031dff

    SHA256

    2eab54cc38b3d5db1bc4b60815f40df2b8e3b787927cfac8a2c74eb78df5e687

    SHA512

    1e2af90bbcac1722de6bf028093dfabbdae857ca858206f2e623c0432c02f8b208393a92483da0b3c35c448e42d725e6de0508b4b41f0e929da89ab5c88874d3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    fa57f9cf65169a934fdebe5215cd3f11

    SHA1

    3a3392d24771f6664364be1fecc3802b9ba1f7b9

    SHA256

    02f6a6dbb7d5bd6b5757540698f0a6f519720024cc9e1332462e8bb3e8b84bcb

    SHA512

    9436bb3b7174821b14ab12b61906667511832dd56f65db85a351ec7793b936c86c036ffd8c2786e1659d848921d1195e505ac3a6be4c40176596896017430aea

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    caf26ff4c1842bf1c8185c79dc5a57a6

    SHA1

    c9f9bc024b41f2ee83e2c38b729ed1f088a93357

    SHA256

    c9bd3b9f2234c0b146f10ab20633f574b2a953d266f321526f5d0a7a46c0d06a

    SHA512

    01aaa6b2f7f4e820c0db179ee7a85d3d7df61a7e9b0076413f1f6ea0db3ebd98a4a37e58c8efe64bb01c3cb9d9b8493fe8659c882531ffe916101dc13fb1440f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    f1dbd4c10c6ff8c5429665aff262c21f

    SHA1

    c08d019b779624c36be453816d2b61f7384b44cb

    SHA256

    2ec241e6415844b2eaa436752aff2b5ae9bf26399e2ffa50d48813fde12bfdd2

    SHA512

    7b3cb3f116c4d74086fea51085f4fa6c2e5281ddeec4d7011d8c9b296b848a8a214a1dd425325c262ba97c2ba25dc06d05f29fe8d1efa5ae4e3674c6564d8dff