Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 19:27

General

  • Target

    1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

  • Size

    3.9MB

  • MD5

    130ce263810502ef67b195be63833750

  • SHA1

    b7549d4be7e7a5fbc4aae431563882caf1ebd140

  • SHA256

    1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7

  • SHA512

    1c450d0d7ddb74e034c76768229a7923ae4cc8654df373c2903a7a04a4c9343d761bbdc4506bc0c514800c73831b4cd0a94903bb0eb05922fb85e467f316699c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
    "C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5104
    • C:\Files94\xbodsys.exe
      C:\Files94\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files94\xbodsys.exe

    Filesize

    742KB

    MD5

    d44055515a04c56ef18a60abcf01e555

    SHA1

    efcee993f1d9f60d9f23158f42c7804f0b7f895b

    SHA256

    9a09c719fdc18bbc6b99bd33a886055095ee6171366f8d6c5a04d870c6f01571

    SHA512

    62b292e406ec148b71610f3c6adea9eab516b86af874414a4e670ccc707331f0097a50814c62fd29ac8974cce14577e072386ba38c352347cdd7204008726a49

  • C:\Files94\xbodsys.exe

    Filesize

    3.9MB

    MD5

    ac0ce8b7eb7dc8df7e1f4dca99d2b5da

    SHA1

    1dd1564af1c63f2b05e9ddb39ae25fb23c3d7aa8

    SHA256

    5ea4b83e1a1afb0f56e0015ad2df0611cbc81b4e614148ea7d7bfdcb2eb825e8

    SHA512

    a4236fbe1e6c922db3a006fc981f01bb57b2cc53809f0c4a0810d9b33036d13bc9a40c1c23bc82992cf975918f2c9fe0e5ffd6856be493b0ce079a285c21856e

  • C:\MintX3\bodaec.exe

    Filesize

    3.9MB

    MD5

    f3482f2cee2a45ddeac25880b9ff7567

    SHA1

    36a25db7984de10e2b064cabb56adad199f3ed66

    SHA256

    3caeb1e0440e132fb12603ca1239a14c14646427a0d733e482f1fc36be43553c

    SHA512

    b54ada3f1c644b32d042cf5c7fa903f8007a9d31c733f578a669528ede9a9a2db3418c21e8196b4c712238966e28dcc77ed98087f8793fb523a3d813bab77424

  • C:\MintX3\bodaec.exe

    Filesize

    39KB

    MD5

    8ad721cb3223c0cb0b022c6cf99d1f1a

    SHA1

    99e1b9322999587da01c53dd1be3aac20a64aae7

    SHA256

    ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c

    SHA512

    f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    08326f871c2ea20ce66baf3c4a77477b

    SHA1

    b2817d587fb0ea246e0db77d52a16e8b13ce5b60

    SHA256

    ac282b095c49a9e6abc992623ef1a7a6149abd0923da9f71027114c79506073e

    SHA512

    5ceb37ac9678f13793ff0138338ed2d3a12691ab44444c3365782070ba299fdc32463097437fccabcb0bdefad7ef5ea71325bb4d1e11ddec67466e99dd018a9d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    bfc08b72ec99fb6520dfdc0c9b7bd0f6

    SHA1

    3872694a2857701162624157e19bf32a705a854d

    SHA256

    afc03b13df6e17b49679fec002dd91a8446b07348bf0128c589d0b46ce6511ff

    SHA512

    38323c5689d6ca43aaad1a3f49963c2c90bb9de497f4281e1ec92b2a47be35ccfafa9233ceeccba998efb1d800736c8826c6dff40e1c3faf0a93b134f5c73110

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    3.9MB

    MD5

    a181b0d4b614614dfb190fe2a14d7c64

    SHA1

    e81cb15e0b0f892eab123aded55fbc7b03b3f388

    SHA256

    8ea376f189f625bf1f861726ceef49a641de02b6955291e20979b2275bac44c0

    SHA512

    448842013a5c5b0eca19e937278e400e859f647e75c8d8e9626e30cab6ae7c7c4bf14cfea153efc40b69f38dbb566857639755d4a82da384d98d8296e177450c