Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
34b5125109082072036165cbebf0bed0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
34b5125109082072036165cbebf0bed0N.exe
Resource
win10v2004-20240802-en
General
-
Target
34b5125109082072036165cbebf0bed0N.exe
-
Size
2.6MB
-
MD5
34b5125109082072036165cbebf0bed0
-
SHA1
410a3d0a4d7e5ab174b47d0767d18a272c35cac9
-
SHA256
dc29021ebd4e79103b43d91397b6592749e7170273a8323e4dc9a26e3c7b3bb7
-
SHA512
c2d3f0bde9ab69f1e44e579491a5b67beccdc1d6369bf33747580a32979f3fd8200f56eabce6e7d905724eaca130771f0c4c01840329b4f45c0382b6f8ff8498
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpKb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 34b5125109082072036165cbebf0bed0N.exe -
Executes dropped EXE 2 IoCs
pid Process 3420 locxbod.exe 4652 abodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRC\\optixloc.exe" 34b5125109082072036165cbebf0bed0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotII\\abodec.exe" 34b5125109082072036165cbebf0bed0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34b5125109082072036165cbebf0bed0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 34b5125109082072036165cbebf0bed0N.exe 1168 34b5125109082072036165cbebf0bed0N.exe 1168 34b5125109082072036165cbebf0bed0N.exe 1168 34b5125109082072036165cbebf0bed0N.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe 3420 locxbod.exe 3420 locxbod.exe 4652 abodec.exe 4652 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3420 1168 34b5125109082072036165cbebf0bed0N.exe 90 PID 1168 wrote to memory of 3420 1168 34b5125109082072036165cbebf0bed0N.exe 90 PID 1168 wrote to memory of 3420 1168 34b5125109082072036165cbebf0bed0N.exe 90 PID 1168 wrote to memory of 4652 1168 34b5125109082072036165cbebf0bed0N.exe 93 PID 1168 wrote to memory of 4652 1168 34b5125109082072036165cbebf0bed0N.exe 93 PID 1168 wrote to memory of 4652 1168 34b5125109082072036165cbebf0bed0N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe"C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3420
-
-
C:\UserDotII\abodec.exeC:\UserDotII\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d26be5f3b8f446c70ff11eb01baa8022
SHA189a5945806763016c0f5c15d82827d790f77e2c8
SHA256343198744c9cf61999473b98bd5145009d23ed0206c0d6c5f97435faf02d445c
SHA512e7d5fc4d4b56dc91fa19ff9c25fa378351f827ae2edbb854d5eea7b30a019d4b8b2137c7a5692faf711522b688af71ac7cc8a9c530ee281447b2ca7e12adaaa4
-
Filesize
2.6MB
MD59b9d4376823e8b1597ac990305938db4
SHA1bb9473cad80dc92d766e711650c9fe8754fc6451
SHA256a518e61f39a53bfff2862cf6eedfe43d1687d3afb93b1ac8cda90d4555436aeb
SHA512f97af633f5e937f78ba970d7476dd0467e9c45ee4ef022f646ba008ee8b72952a1cf31c1893b4cb15f54d4de1c89cdf9e19c582661c5651ed10aabb8d36a073d
-
Filesize
2.6MB
MD571031bd1795f6dba7bc1e0fac75d0676
SHA1377e82f28135e8adfea4a4544d37b5726c48a871
SHA256e74372309bcf1402dbaa8404598b2a7087c0fff45884c48fe07df79137f6db72
SHA512fa945aefa2c668d177e8a4994bb64e520200f6ea9bb6dea278500f396a45371dc110dcaa1d1c8767a87377edabbee0d71e6c006a32b1ff20f005a7bf3a5f3430
-
Filesize
202B
MD57b7426f3c1aabc68316b23ae295425af
SHA1b41b91b9cb9cff9a0ed1095236233b232a02eb6a
SHA256c4d534f675928ab244dfa9cd3f8328e8ac1c08cd28216e78106205ba68d915dd
SHA512c21243ce7f22d87279741a25467d09a73eb9fc6e5afe34d0bf78d990b6768f3c53761fe37bac9bb62f6c27fe2166727506be02f7f6e2b46eb9667e5252146316
-
Filesize
170B
MD52cb720d83b7252983524eafa54b288b9
SHA146bdbe4001f39718908b1c0d80bb5924550e4edc
SHA2563b323139fc52500240c6de22c74444facb5c12a01d49622b742d8eb0bdf0e10c
SHA512816dba094e3eb23e130b82b8836481f90abe22d02658616404fe7ecb4556e3f30f2a0afd429d4d18427fdb51a50257858e42bfd5372b8420b071631ec2be685d
-
Filesize
2.6MB
MD589f6b071a6db70e059ee99a129f15027
SHA171379e3f639c52307c438f59a6ad06f4228c35fd
SHA256b27f9b73b188e09464b6efabdd9ce56606fe6497e3e44228ad07e6e874d2a675
SHA512d6110870bdc0d21c80d3d1268fae93f6345d64576586f98c4c5387a88c420e46a8ecbe6eb1b89c1b9f3333210e5d6738852abbda7afa4cbda33b03cb2ac266d1