Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 21:37

General

  • Target

    571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe

  • Size

    2.7MB

  • MD5

    07f2d7a5e261847251ccb427b2bd5d00

  • SHA1

    29018e3c6793003f7240ebd76de6a12c5d6932b5

  • SHA256

    571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4

  • SHA512

    7a5641521cf24264ce33ba5c8f4ba6eba2ce18a187c2c9ae7d0d66833c9fb05702b5e939d713f9eb0d033389c45cfb246233786a4b55f1f7a04c03b3c44ea387

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4S+:+R0pI/IQlUoMPdmpSpF4X

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
    "C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
      C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -a
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:3536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4048
    • C:\Adobe1T\devbodec.exe
      C:\Adobe1T\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe1T\devbodec.exe

    Filesize

    28KB

    MD5

    c8923eb6d55ae59a2d91ecce1706dd72

    SHA1

    7b64709b1ee3cace250ea9a3a59e338b8cc1bc49

    SHA256

    6a6f2712427e99ceede982fd03ae1a1a1ab93ae8c749862d691e4fcf9d7f5a59

    SHA512

    3266bf3c9bfd253f8e8f635c018170b26e68bc71ed54714d20499835f2b6d27f07a1d8b13af9f6c0f0dbb0dc58b4c811ed7a2e5556d5434e75ad2dd2a067158c

  • C:\Adobe1T\devbodec.exe

    Filesize

    2.7MB

    MD5

    582b31fb36f35c5d50fc86a4ac9f33ab

    SHA1

    d7d14be06183e6a75348754d94fd31ea9d17a645

    SHA256

    515ed51339aef2d7df2fc7c12e993216454385c836520ae13af26cf54283dbe7

    SHA512

    41de292fc6e6cb3194f7a267dd95e2f4a5bc3b5fa3ae4e5676e849344c2872a9efb9f8a6ae1165487ca1cb9c8f6259d08c3072937bda5d35a568e4526fc1e367

  • C:\Mint8W\boddevloc.exe

    Filesize

    2.7MB

    MD5

    8e53f59356003f38cda1337a2dc36ed9

    SHA1

    fe0eae38fbff448e2751485418876b6dc0a5dfbe

    SHA256

    060011c4bd447342056c4a029c72b289f4182a4c4d8ba24165974e68b2115230

    SHA512

    3ea3e4dbf280ad6e8cd3db0d2dadd1cccb48e855a773f15419b9f0249e87e76dcfe90fe6dce5d7201e143b88f2760f0e15458a1c149df60d8971bd30e98c6678

  • C:\Mint8W\boddevloc.exe

    Filesize

    2.7MB

    MD5

    e9e18f833fcd6a3f2e241f55ac9e3f74

    SHA1

    df67dbf4d1c80241a70cbb8e88aebee4cf2fd52a

    SHA256

    2b5a6f899728b8e6b28a015de950865a7d898cad7b696aafcb1f5735cb76c189

    SHA512

    8f303f60bff0fb651794ea86d3709b5720227105849298d8061f528a13da7f2d357f45227bb1d0391dfd0c4dc035de7afb8b42e14306c5db75c0a0383401ebd4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    3512205338768da449c1f44073c9522e

    SHA1

    02d12765a53e0e27697ee63fb1cdd9286c424264

    SHA256

    e13204075abc45b535a274fed52dbd00c46c5d8307d50148046d5ce122f86e74

    SHA512

    072a085ef5d0160d4c54d5253197f6d9a6f68926e05bb0d33efa9d4fb1a13e1c750170406fb762e2ab69bc522fb5aca1d162be713196318d86d35eb80ad7e2f8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    18e3cdd70f92d75518148227ce51e98b

    SHA1

    df5bd5eba2f352f08a74c7bcd7b5aa43d00b7014

    SHA256

    b97564ba9426d21c613a58ed4e81897ca8e4ab3083de27544c4011b864251e9e

    SHA512

    3fae85e248747db495b3938031bb5ae3f3c0e79248834f576cbf6407a703a4e8908e70317c861318dc4e9019c97101fc77200eb1c052affd6e37bedf5df47460

  • C:\Users\Admin\grubb.list

    Filesize

    40KB

    MD5

    1bdcccecaba080152bb54be855d41736

    SHA1

    a9dae921d9eb24573aae5541e73eaf9a2ecdea0e

    SHA256

    09c0b53cbb5a30a886c8fa485268e4f3b636ef891c072a25cc07f495f9efe24d

    SHA512

    5f169c5f04d8088ba8f4d191eaeb79938d1d299c07d872f88dfe0ef8c8d0031612f2217019a83258da956dacf1795efc0c0e4ad9347fb9e496dd15fc42072dc1

  • C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecadob.exe

    Filesize

    2.7MB

    MD5

    d5d001fb6899f9805353bd8614acfdda

    SHA1

    1f8f99188e71ff190536128ce070ed0427d05d37

    SHA256

    b28f12df846cb94940d4fd0c420b802f3aa223efca62dcaf1d9af9f47bb2a477

    SHA512

    43b7f8dafe26dcceca17d097aa30343ee05cc48e033e5eec9c44cf25f3b6649773dbe997f73e1e9189b52bc09c95df76df889ceac7946d71c61f681d3ca4d65e