Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Resource
win10v2004-20240802-en
General
-
Target
879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
-
Size
2.6MB
-
MD5
266ea141a56df1ed37fbb1652dc818c2
-
SHA1
865d0abce2a1b4dbd63e2a66a483251482ae1468
-
SHA256
879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0
-
SHA512
b6efcadf54a2b4804764d89ca0a9862e9c462e7c258627a274b68e64836fd7fe1be5c1162384e953c3d9f6fe8da968ff297418c2488d28a3285bd57067d96422
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe -
Executes dropped EXE 2 IoCs
pid Process 760 sysdevbod.exe 1616 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files6X\\devoptisys.exe" 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ3\\bodxloc.exe" 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe 760 sysdevbod.exe 760 sysdevbod.exe 1616 devoptisys.exe 1616 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3764 wrote to memory of 760 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 89 PID 3764 wrote to memory of 760 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 89 PID 3764 wrote to memory of 760 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 89 PID 3764 wrote to memory of 1616 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 90 PID 3764 wrote to memory of 1616 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 90 PID 3764 wrote to memory of 1616 3764 879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe"C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Files6X\devoptisys.exeC:\Files6X\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57a09527847ee1f4fd0e3a1b07027b5df
SHA1dcce7baa74fb343ee5ac572983573abb016e4e0e
SHA256803dd89d36543933251ab977173ffac6e83703603d59a381111179bcb5fa07aa
SHA512625c5feb0cbf9ac1b1346a251e4c4f532cc526511e3fd94edc8e653fd2b651cea85f7cc4397625944c651e4579008d293b0730cb7c44cb136dbfd16656c9d198
-
Filesize
20KB
MD52873fb57ea06e0913c9b5dde7bd73c2d
SHA1c2794b886d0f3c44e805ffe343756fd81b5c87ec
SHA25608bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587
SHA5129db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76
-
Filesize
2.6MB
MD57a70bb5bca6bd9b430b80fe64155dc0c
SHA19d145e18a1d55666605c0cb409d6e720631187be
SHA2564e320e54f8fbfc3b4ec0c5726f64e7bc4aa1d9d8c8ef322389ee52078616a940
SHA51299f570d80d8f900867823d40b2973cb04849ad0e18a7a7e5ddfa165f4b4849182b3fc20be386567208c6a8c2670d40732696529d725880b433e27144df763dc2
-
Filesize
205B
MD5073ceda85560d4d6ad609c12725b1d74
SHA180add5e712a5bf8d7dff814fed26809f3cb9c658
SHA256f6f870c0ca3aa10ec5bc3255f80f1d67ba87991dc9a57725d6c73ad746f175aa
SHA512c605f61aa8d23f3ea0186f35964a4837fd91b1a1a22d24f64448cfd7857b687c1293ff08661c52e56bedbd35d73a62634c232a9a39b3163c76a7df71232da911
-
Filesize
173B
MD5be7efdd69be4c5766ae3a3469caa67e5
SHA169018bf1818987f85dc073d307fd844d023f2d87
SHA256d1a775a6f3c025d50c7038db222d3b63c9697897d2ead713a097c93e0b355929
SHA512b72e3fcd178c46a590407590acd826ae16480aa116440b8e0dbbe403cf0337e496dfe6b32c9b169fcb45428d413390182289e0e699addb95fd8d340adcc0c394
-
Filesize
2.6MB
MD564b6fe1a7a54d8d15410d7dfa708baf7
SHA11de4cdf3fc82ba63ddba37a8922c3f668cb2bdfe
SHA2566c38a1f91bb79a94f9429e744e5db78048ae246eefdb2ef4e1be4dfd2587b6ee
SHA5123dc7bdc9390c7a21e2f81edeea28ea5c1c95f0c8641b7c755f0068c0b1da67664f8f4b25c598df600f491da9c74ffa75e66b52bb71c76cf2adacb644bd87c739