Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Resource
win10v2004-20240802-en
General
-
Target
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
-
Size
3.0MB
-
MD5
d128d026bfe11969c9b706abecb160e5
-
SHA1
5539a6d5737d1bdb80b49c981730d87d17540f4f
-
SHA256
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03
-
SHA512
c9412c68a601f3ff7795726c8eeb0739b4ac35a73bb14e67883a5b16bb229b3cb7ffe743d0fabb1b0d0234be5c552fe055f8625b803722565bce7d2dae80738f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8:sxX7QnxrloE5dpUp9bVz8
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe -
Executes dropped EXE 2 IoCs
pid Process 976 sysabod.exe 2724 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWS\\devbodec.exe" 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQQ\\dobxsys.exe" 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe 976 sysabod.exe 976 sysabod.exe 2724 devbodec.exe 2724 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 768 wrote to memory of 976 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 94 PID 768 wrote to memory of 976 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 94 PID 768 wrote to memory of 976 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 94 PID 768 wrote to memory of 2724 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 95 PID 768 wrote to memory of 2724 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 95 PID 768 wrote to memory of 2724 768 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:976
-
-
C:\UserDotWS\devbodec.exeC:\UserDotWS\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3056,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:81⤵PID:5084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD56c648c3f557a678b5fd5ef5c3b230f5e
SHA1107f3724dbe68c0202a699b5300de8024d4f2d6c
SHA256e01f8b2c4c11bb4190fde56ef3bcb21427e5cd47012227b0959dd31e567ebb2c
SHA5125a9b4f7137a91d3cdc2c2a892713630c043df0d5dbe0551f0e59084f4692f951286b2c1072897d6def6eb00a5572d7ebaf730024ab769531c6ff604d3cc8f11a
-
Filesize
465KB
MD52986cdd2de584a1ddd0163579bfb8bcc
SHA11d371801a535fb4da3e6791d232a6afa57bc9af4
SHA256e5593e6f73875bd630f13ce5bce074558eecbca8c7799d9b6605b32569ac40d1
SHA512be231c8a43f96d5713c31ede91dfd0172f748dd6f276903cba5058b7f4b1f262be7942a908043d57a4066989ec4caff81e5d85892d99b87ff91505b41b920916
-
Filesize
308KB
MD5ecb86671afdab56d722dfdbaeb1dd77a
SHA1c42c6de98e313d5aebd3a56a590a090001722241
SHA256061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c
SHA51291f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d
-
Filesize
3.0MB
MD53956a95ab46e533a82cf09b6e2c81a66
SHA153d0d0d1d0835a958f61c58308cba3952ebee74b
SHA25645433f44e39508accbb995c11c14bccdb9a3b1c273dd9d639656bb672bbfdc2c
SHA512ec407bd5af65d9a0f8714f2084e16015d9c1877f5374e92017e3850a18a0525f67867136c9b4b960919eac3a80287c8a96fffa2b1bee2fe18103c3e153215530
-
Filesize
203B
MD5065237ee1665d9977435b48e2eda79ea
SHA1bb66c8b30963fd231bff2d250823af62dcca9c0d
SHA256dd4069f2a5ae6dfbd8a7b70d1d2b6888312cf9cdea4c3f16f90a978d8ac09e3e
SHA51237d2137773d0d3034321ff0b650da8dab4540b3b7c5fe239af079f36193d301b6ff467c7b89c8a76591d07a626bbbca1332e6f6a41b387b41fa3b32e06029c82
-
Filesize
171B
MD5bef69e59463e688ab0bde86ca2c38c2f
SHA147ff4f2798e0efc0606adf0393a0ed6a5e27868e
SHA25669015fc3220d5a5f61ba08628e89afc38c459191ea670e2a6c091785ef259db1
SHA512413f75a8930516c9c1bfa22f71c8f9f2590fe91a2d20301a4f02651101a033a9062292269f915b711ca7a1b6d34c8760be273cb398c1fe035073d90b2547af63
-
Filesize
3.0MB
MD542ee3e6541e9332330251d0d5c66de61
SHA103e7d7abbd46383355fb17f459140bf2eef26a73
SHA256bb752af6c86da9edfe2db2b5acf13f930ed2e4d52fd2e107046ebcde51c84ad6
SHA512c2c0ceef682e1f90dae28127587ff8e470a554c5c4b25a5d2748e5df4df6fe4cf4eab4c002d1b11db949a230ac0e6a27e7469e5fff0b209bca5e25ca0cb1e4f1