Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Resource
win10v2004-20240802-en
General
-
Target
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
-
Size
3.9MB
-
MD5
130ce263810502ef67b195be63833750
-
SHA1
b7549d4be7e7a5fbc4aae431563882caf1ebd140
-
SHA256
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7
-
SHA512
1c450d0d7ddb74e034c76768229a7923ae4cc8654df373c2903a7a04a4c9343d761bbdc4506bc0c514800c73831b4cd0a94903bb0eb05922fb85e467f316699c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUp2bVz8
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe -
Executes dropped EXE 2 IoCs
pid Process 5104 ecdevopti.exe 2980 xbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files94\\xbodsys.exe" 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX3\\bodaec.exe" 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe 5104 ecdevopti.exe 5104 ecdevopti.exe 2980 xbodsys.exe 2980 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2560 wrote to memory of 5104 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 86 PID 2560 wrote to memory of 5104 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 86 PID 2560 wrote to memory of 5104 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 86 PID 2560 wrote to memory of 2980 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 87 PID 2560 wrote to memory of 2980 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 87 PID 2560 wrote to memory of 2980 2560 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
-
C:\Files94\xbodsys.exeC:\Files94\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5d44055515a04c56ef18a60abcf01e555
SHA1efcee993f1d9f60d9f23158f42c7804f0b7f895b
SHA2569a09c719fdc18bbc6b99bd33a886055095ee6171366f8d6c5a04d870c6f01571
SHA51262b292e406ec148b71610f3c6adea9eab516b86af874414a4e670ccc707331f0097a50814c62fd29ac8974cce14577e072386ba38c352347cdd7204008726a49
-
Filesize
3.9MB
MD5ac0ce8b7eb7dc8df7e1f4dca99d2b5da
SHA11dd1564af1c63f2b05e9ddb39ae25fb23c3d7aa8
SHA2565ea4b83e1a1afb0f56e0015ad2df0611cbc81b4e614148ea7d7bfdcb2eb825e8
SHA512a4236fbe1e6c922db3a006fc981f01bb57b2cc53809f0c4a0810d9b33036d13bc9a40c1c23bc82992cf975918f2c9fe0e5ffd6856be493b0ce079a285c21856e
-
Filesize
3.9MB
MD5f3482f2cee2a45ddeac25880b9ff7567
SHA136a25db7984de10e2b064cabb56adad199f3ed66
SHA2563caeb1e0440e132fb12603ca1239a14c14646427a0d733e482f1fc36be43553c
SHA512b54ada3f1c644b32d042cf5c7fa903f8007a9d31c733f578a669528ede9a9a2db3418c21e8196b4c712238966e28dcc77ed98087f8793fb523a3d813bab77424
-
Filesize
39KB
MD58ad721cb3223c0cb0b022c6cf99d1f1a
SHA199e1b9322999587da01c53dd1be3aac20a64aae7
SHA256ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c
SHA512f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa
-
Filesize
201B
MD508326f871c2ea20ce66baf3c4a77477b
SHA1b2817d587fb0ea246e0db77d52a16e8b13ce5b60
SHA256ac282b095c49a9e6abc992623ef1a7a6149abd0923da9f71027114c79506073e
SHA5125ceb37ac9678f13793ff0138338ed2d3a12691ab44444c3365782070ba299fdc32463097437fccabcb0bdefad7ef5ea71325bb4d1e11ddec67466e99dd018a9d
-
Filesize
169B
MD5bfc08b72ec99fb6520dfdc0c9b7bd0f6
SHA13872694a2857701162624157e19bf32a705a854d
SHA256afc03b13df6e17b49679fec002dd91a8446b07348bf0128c589d0b46ce6511ff
SHA51238323c5689d6ca43aaad1a3f49963c2c90bb9de497f4281e1ec92b2a47be35ccfafa9233ceeccba998efb1d800736c8826c6dff40e1c3faf0a93b134f5c73110
-
Filesize
3.9MB
MD5a181b0d4b614614dfb190fe2a14d7c64
SHA1e81cb15e0b0f892eab123aded55fbc7b03b3f388
SHA2568ea376f189f625bf1f861726ceef49a641de02b6955291e20979b2275bac44c0
SHA512448842013a5c5b0eca19e937278e400e859f647e75c8d8e9626e30cab6ae7c7c4bf14cfea153efc40b69f38dbb566857639755d4a82da384d98d8296e177450c