Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 05:58

General

  • Target

    9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

  • Size

    2.6MB

  • MD5

    9ce45bfe76f2151b5cc1f71e4d5b3790

  • SHA1

    d7bf4f015d2e29040c790de8b268ed0ef4a108b2

  • SHA256

    774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf

  • SHA512

    5e0babfe1a9eaef2f5ec9ba459b9ad165116d991fad95fd763f23e14e51bab8471315df75ccec0c9f796f2bf7c1cf7cadde1f6e87226613c0ddec8cc42de8e8f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
    "C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4420
    • C:\IntelprocVD\devbodec.exe
      C:\IntelprocVD\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax6C\optiasys.exe

    Filesize

    2.6MB

    MD5

    158a0382c1238e3c0389c1c8017e4308

    SHA1

    9aa8d799ac6fe7e65b12e1fd2997a4071eee9003

    SHA256

    31b9528a1f23362af8f759a42bbd148f0a85d4380cf53f9262dfb6ea1872d1d5

    SHA512

    57ac9284a82f80ed9066e3f908d61f456374935bd0c2fac9a54941991e3e3a6811b13c1304f4e75362049a81ef79c385515cfcf030b736f66d250459dd2aaab6

  • C:\Galax6C\optiasys.exe

    Filesize

    2.6MB

    MD5

    999dc895b2a20fb3f995868c2fe85e42

    SHA1

    39530b9e2066cc23cb446ca8726247858d7044a4

    SHA256

    da5336f34ab6e1453b0ac036149568c38b1a027e1b7361c85273cff48843bf0d

    SHA512

    58394c6a63a4924b410cb0044bd814f7c0f6eb1b19295fec31d337a1efe9b6382ebfdc0af41302637f4396ad12cafe458ea71794a98018cec15d25724fc55111

  • C:\IntelprocVD\devbodec.exe

    Filesize

    2.6MB

    MD5

    83c525d9014bd186b3399f8c288e3aa6

    SHA1

    04224b0c4d5cb70f12f6767dd7224d5c2b2f4eba

    SHA256

    9cf1ec8da4e31099b8797a38cd657f1d6eafa358a6abcbc413455c5fbd483b92

    SHA512

    e80252e76e4fbbeea9b8cf0231e9e96c4d75279178b439e3001e3f49e22ecbba380e11271abf1d867e967b2210f8991b3ff3dee3a540f760bf492f8f5540ad49

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    afecc5dd4438ca8e091607332f53bd94

    SHA1

    9e74a3fbb78a8057f3449811749ff40e68078e4a

    SHA256

    62ada75fb2942d675196ff94d002faafd547799346f02a24bd468e3200795e9c

    SHA512

    4d7b616cfc5066765df82cd44a2264c60f0ade1ff45dcc543a840f30d6f551445fa12bb0f5f38fb664f2cff136e8560842eb383308ae800140403ede65f0576d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    a6c827a4487cb263cf47a9c8b4d2690a

    SHA1

    d06989aad6ee86af981f9d5b936c993705c1b251

    SHA256

    49cc8ba2c7c2889c734315b82cf234be65ec2929e8618bfa715797f690fb6819

    SHA512

    3687d4f2a1b0602d018892400d2e0a34c15f1786dfa71239454475ce4fd1c2f8c36dd528c7726e30af89bdf5f53d47f89696e35c8bc1b0a3bc6d35adf4fda50b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    ef27347bfd66fbc2a03573df94c3e591

    SHA1

    33a9b54ed42c6c5c8e36ee00753b83c059e13a03

    SHA256

    3ed8b3a336d3fa6868a255365d2a787beaecd2c9c871145eedf77c560dca8a20

    SHA512

    c4f4edac5f6d0e66b3d4be107fdb063a71654c28b62313139fc63692943fe1a0550cd2fdd99bdb15d19ea8eb3b1e91f18d348f1ab8fc5be48f15c12bf32fac32