Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 04:07

General

  • Target

    f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

  • Size

    3.9MB

  • MD5

    7112afea309abbdceb6abaa2cc02ef26

  • SHA1

    5ce49d308f912d0aa1b5c35e86b86c0b65cca4dc

  • SHA256

    f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324

  • SHA512

    d9431f85e526065cc654b1a1f24147b19f7f5f04c3e6d482a92c12334dc790737388693d2713424372afac0dbcfb9e89358891041643ad879742651260e9c124

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpobVz8

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
    "C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3436
    • C:\Files5O\abodloc.exe
      C:\Files5O\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files5O\abodloc.exe

    Filesize

    3.9MB

    MD5

    985d667534ca608ab2bcdb55def09019

    SHA1

    911c461bf60c4ed3c1f754e0653e80c94638b640

    SHA256

    fb94063f40d639b23a0de0946ad1507ff7d4b95172010cb3b292fdc685cf0022

    SHA512

    380dc4bcaf946be3e89476babe2a758bd422b04b767c8490d05f1afc8b2f4cfc8eae70fceae81f3928bf36ffa90b0291aaff025404cf192a42609efae4968d28

  • C:\KaVBCQ\bodaec.exe

    Filesize

    3.9MB

    MD5

    d3fa4d639660d832bda40407eba5462c

    SHA1

    5573d2d51a1a7233f03019e954d2e240bbba7b3a

    SHA256

    f6d5f67787f84df71be2ea04580703127eaa2a03719b434a3f065efa9c123f0d

    SHA512

    f80484f42b727612e4a1911cddd7cd2822d02b4728360dffc7be7f70ea772d72ce3cb212155917232a56eb68eaec6ae89de88ab97ccf1fee21cbe9241f6cca6a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    d04d249f8b90a853ac67290536b50323

    SHA1

    c0659b90524c2913c577009b60c350275b4da18e

    SHA256

    059eb1763688fa61ddb222045677081178a99a76f9b204bd63aaef46d14be96a

    SHA512

    d64b0df0f00f931110f44ea17eaf14325c027939f9a3f40404677a7e7a51ab7c712fafb116916eb3637a85fcf2ba9ddeb28f9e2667c1125af93cb56e47654ca1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    167B

    MD5

    50e3d60817310f5ba80aacbb07914240

    SHA1

    41087dc06f021835ac97ff30f4e8fa957c1cc66e

    SHA256

    71f817e2eb0034da56cd4f2cdb73e5fe50ca399c0565c9a868d97153ff5af4f4

    SHA512

    ea1e7e8c5bab5f6c6af4235f506559c9fb08333c265e29c676b48e0ca16d1b91b7530a449290aa0e79e1f91618a4f4cd01d47868711ef0da3b940e9c105a0cc8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    3.9MB

    MD5

    bd92172af8bbfcaa70003fc3f0555816

    SHA1

    8b2c53cbdf2cf5603923f0ed0598e7bda9cd5cee

    SHA256

    75099f4b9fdc3423ac97cbcd0851cb0f2818fbcf55cdd9cfea0b89314c1f7b99

    SHA512

    b61cf31088bde0354e3e2a35657abc7285fc93b33711aef59bdb81563ce09724bb594573edb685ab0b286aa47c699b3d6283c8150837c03bfcf8a2dc4e41712a