Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 05:58
Static task
static1
Behavioral task
behavioral1
Sample
9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Resource
win10v2004-20240709-en
General
-
Target
9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
-
Size
2.6MB
-
MD5
9ce45bfe76f2151b5cc1f71e4d5b3790
-
SHA1
d7bf4f015d2e29040c790de8b268ed0ef4a108b2
-
SHA256
774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf
-
SHA512
5e0babfe1a9eaef2f5ec9ba459b9ad165116d991fad95fd763f23e14e51bab8471315df75ccec0c9f796f2bf7c1cf7cadde1f6e87226613c0ddec8cc42de8e8f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe -
Executes dropped EXE 2 IoCs
pid Process 4420 locxbod.exe 3352 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVD\\devbodec.exe" 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6C\\optiasys.exe" 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe 4420 locxbod.exe 3352 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4420 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 87 PID 4552 wrote to memory of 4420 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 87 PID 4552 wrote to memory of 4420 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 87 PID 4552 wrote to memory of 3352 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 88 PID 4552 wrote to memory of 3352 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 88 PID 4552 wrote to memory of 3352 4552 9ce45bfe76f2151b5cc1f71e4d5b3790N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe"C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\IntelprocVD\devbodec.exeC:\IntelprocVD\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5158a0382c1238e3c0389c1c8017e4308
SHA19aa8d799ac6fe7e65b12e1fd2997a4071eee9003
SHA25631b9528a1f23362af8f759a42bbd148f0a85d4380cf53f9262dfb6ea1872d1d5
SHA51257ac9284a82f80ed9066e3f908d61f456374935bd0c2fac9a54941991e3e3a6811b13c1304f4e75362049a81ef79c385515cfcf030b736f66d250459dd2aaab6
-
Filesize
2.6MB
MD5999dc895b2a20fb3f995868c2fe85e42
SHA139530b9e2066cc23cb446ca8726247858d7044a4
SHA256da5336f34ab6e1453b0ac036149568c38b1a027e1b7361c85273cff48843bf0d
SHA51258394c6a63a4924b410cb0044bd814f7c0f6eb1b19295fec31d337a1efe9b6382ebfdc0af41302637f4396ad12cafe458ea71794a98018cec15d25724fc55111
-
Filesize
2.6MB
MD583c525d9014bd186b3399f8c288e3aa6
SHA104224b0c4d5cb70f12f6767dd7224d5c2b2f4eba
SHA2569cf1ec8da4e31099b8797a38cd657f1d6eafa358a6abcbc413455c5fbd483b92
SHA512e80252e76e4fbbeea9b8cf0231e9e96c4d75279178b439e3001e3f49e22ecbba380e11271abf1d867e967b2210f8991b3ff3dee3a540f760bf492f8f5540ad49
-
Filesize
207B
MD5afecc5dd4438ca8e091607332f53bd94
SHA19e74a3fbb78a8057f3449811749ff40e68078e4a
SHA25662ada75fb2942d675196ff94d002faafd547799346f02a24bd468e3200795e9c
SHA5124d7b616cfc5066765df82cd44a2264c60f0ade1ff45dcc543a840f30d6f551445fa12bb0f5f38fb664f2cff136e8560842eb383308ae800140403ede65f0576d
-
Filesize
175B
MD5a6c827a4487cb263cf47a9c8b4d2690a
SHA1d06989aad6ee86af981f9d5b936c993705c1b251
SHA25649cc8ba2c7c2889c734315b82cf234be65ec2929e8618bfa715797f690fb6819
SHA5123687d4f2a1b0602d018892400d2e0a34c15f1786dfa71239454475ce4fd1c2f8c36dd528c7726e30af89bdf5f53d47f89696e35c8bc1b0a3bc6d35adf4fda50b
-
Filesize
2.6MB
MD5ef27347bfd66fbc2a03573df94c3e591
SHA133a9b54ed42c6c5c8e36ee00753b83c059e13a03
SHA2563ed8b3a336d3fa6868a255365d2a787beaecd2c9c871145eedf77c560dca8a20
SHA512c4f4edac5f6d0e66b3d4be107fdb063a71654c28b62313139fc63692943fe1a0550cd2fdd99bdb15d19ea8eb3b1e91f18d348f1ab8fc5be48f15c12bf32fac32