Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 23:26

General

  • Target

    879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

  • Size

    2.6MB

  • MD5

    266ea141a56df1ed37fbb1652dc818c2

  • SHA1

    865d0abce2a1b4dbd63e2a66a483251482ae1468

  • SHA256

    879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0

  • SHA512

    b6efcadf54a2b4804764d89ca0a9862e9c462e7c258627a274b68e64836fd7fe1be5c1162384e953c3d9f6fe8da968ff297418c2488d28a3285bd57067d96422

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
    "C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:760
    • C:\Files6X\devoptisys.exe
      C:\Files6X\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files6X\devoptisys.exe

    Filesize

    2.6MB

    MD5

    7a09527847ee1f4fd0e3a1b07027b5df

    SHA1

    dcce7baa74fb343ee5ac572983573abb016e4e0e

    SHA256

    803dd89d36543933251ab977173ffac6e83703603d59a381111179bcb5fa07aa

    SHA512

    625c5feb0cbf9ac1b1346a251e4c4f532cc526511e3fd94edc8e653fd2b651cea85f7cc4397625944c651e4579008d293b0730cb7c44cb136dbfd16656c9d198

  • C:\KaVBJ3\bodxloc.exe

    Filesize

    20KB

    MD5

    2873fb57ea06e0913c9b5dde7bd73c2d

    SHA1

    c2794b886d0f3c44e805ffe343756fd81b5c87ec

    SHA256

    08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

    SHA512

    9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

  • C:\KaVBJ3\bodxloc.exe

    Filesize

    2.6MB

    MD5

    7a70bb5bca6bd9b430b80fe64155dc0c

    SHA1

    9d145e18a1d55666605c0cb409d6e720631187be

    SHA256

    4e320e54f8fbfc3b4ec0c5726f64e7bc4aa1d9d8c8ef322389ee52078616a940

    SHA512

    99f570d80d8f900867823d40b2973cb04849ad0e18a7a7e5ddfa165f4b4849182b3fc20be386567208c6a8c2670d40732696529d725880b433e27144df763dc2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    073ceda85560d4d6ad609c12725b1d74

    SHA1

    80add5e712a5bf8d7dff814fed26809f3cb9c658

    SHA256

    f6f870c0ca3aa10ec5bc3255f80f1d67ba87991dc9a57725d6c73ad746f175aa

    SHA512

    c605f61aa8d23f3ea0186f35964a4837fd91b1a1a22d24f64448cfd7857b687c1293ff08661c52e56bedbd35d73a62634c232a9a39b3163c76a7df71232da911

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    be7efdd69be4c5766ae3a3469caa67e5

    SHA1

    69018bf1818987f85dc073d307fd844d023f2d87

    SHA256

    d1a775a6f3c025d50c7038db222d3b63c9697897d2ead713a097c93e0b355929

    SHA512

    b72e3fcd178c46a590407590acd826ae16480aa116440b8e0dbbe403cf0337e496dfe6b32c9b169fcb45428d413390182289e0e699addb95fd8d340adcc0c394

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    64b6fe1a7a54d8d15410d7dfa708baf7

    SHA1

    1de4cdf3fc82ba63ddba37a8922c3f668cb2bdfe

    SHA256

    6c38a1f91bb79a94f9429e744e5db78048ae246eefdb2ef4e1be4dfd2587b6ee

    SHA512

    3dc7bdc9390c7a21e2f81edeea28ea5c1c95f0c8641b7c755f0068c0b1da67664f8f4b25c598df600f491da9c74ffa75e66b52bb71c76cf2adacb644bd87c739