Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 04:07
Static task
static1
Behavioral task
behavioral1
Sample
f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Resource
win10v2004-20240802-en
General
-
Target
f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
-
Size
3.9MB
-
MD5
7112afea309abbdceb6abaa2cc02ef26
-
SHA1
5ce49d308f912d0aa1b5c35e86b86c0b65cca4dc
-
SHA256
f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324
-
SHA512
d9431f85e526065cc654b1a1f24147b19f7f5f04c3e6d482a92c12334dc790737388693d2713424372afac0dbcfb9e89358891041643ad879742651260e9c124
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpobVz8
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe -
Executes dropped EXE 2 IoCs
pid Process 3436 locabod.exe 784 abodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5O\\abodloc.exe" f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCQ\\bodaec.exe" f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe 3436 locabod.exe 3436 locabod.exe 784 abodloc.exe 784 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3272 wrote to memory of 3436 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 89 PID 3272 wrote to memory of 3436 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 89 PID 3272 wrote to memory of 3436 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 89 PID 3272 wrote to memory of 784 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 92 PID 3272 wrote to memory of 784 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 92 PID 3272 wrote to memory of 784 3272 f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe"C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3436
-
-
C:\Files5O\abodloc.exeC:\Files5O\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5985d667534ca608ab2bcdb55def09019
SHA1911c461bf60c4ed3c1f754e0653e80c94638b640
SHA256fb94063f40d639b23a0de0946ad1507ff7d4b95172010cb3b292fdc685cf0022
SHA512380dc4bcaf946be3e89476babe2a758bd422b04b767c8490d05f1afc8b2f4cfc8eae70fceae81f3928bf36ffa90b0291aaff025404cf192a42609efae4968d28
-
Filesize
3.9MB
MD5d3fa4d639660d832bda40407eba5462c
SHA15573d2d51a1a7233f03019e954d2e240bbba7b3a
SHA256f6d5f67787f84df71be2ea04580703127eaa2a03719b434a3f065efa9c123f0d
SHA512f80484f42b727612e4a1911cddd7cd2822d02b4728360dffc7be7f70ea772d72ce3cb212155917232a56eb68eaec6ae89de88ab97ccf1fee21cbe9241f6cca6a
-
Filesize
199B
MD5d04d249f8b90a853ac67290536b50323
SHA1c0659b90524c2913c577009b60c350275b4da18e
SHA256059eb1763688fa61ddb222045677081178a99a76f9b204bd63aaef46d14be96a
SHA512d64b0df0f00f931110f44ea17eaf14325c027939f9a3f40404677a7e7a51ab7c712fafb116916eb3637a85fcf2ba9ddeb28f9e2667c1125af93cb56e47654ca1
-
Filesize
167B
MD550e3d60817310f5ba80aacbb07914240
SHA141087dc06f021835ac97ff30f4e8fa957c1cc66e
SHA25671f817e2eb0034da56cd4f2cdb73e5fe50ca399c0565c9a868d97153ff5af4f4
SHA512ea1e7e8c5bab5f6c6af4235f506559c9fb08333c265e29c676b48e0ca16d1b91b7530a449290aa0e79e1f91618a4f4cd01d47868711ef0da3b940e9c105a0cc8
-
Filesize
3.9MB
MD5bd92172af8bbfcaa70003fc3f0555816
SHA18b2c53cbdf2cf5603923f0ed0598e7bda9cd5cee
SHA25675099f4b9fdc3423ac97cbcd0851cb0f2818fbcf55cdd9cfea0b89314c1f7b99
SHA512b61cf31088bde0354e3e2a35657abc7285fc93b33711aef59bdb81563ce09724bb594573edb685ab0b286aa47c699b3d6283c8150837c03bfcf8a2dc4e41712a