Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 22:49

General

  • Target

    34b5125109082072036165cbebf0bed0N.exe

  • Size

    2.6MB

  • MD5

    34b5125109082072036165cbebf0bed0

  • SHA1

    410a3d0a4d7e5ab174b47d0767d18a272c35cac9

  • SHA256

    dc29021ebd4e79103b43d91397b6592749e7170273a8323e4dc9a26e3c7b3bb7

  • SHA512

    c2d3f0bde9ab69f1e44e579491a5b67beccdc1d6369bf33747580a32979f3fd8200f56eabce6e7d905724eaca130771f0c4c01840329b4f45c0382b6f8ff8498

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpKb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe
    "C:\Users\Admin\AppData\Local\Temp\34b5125109082072036165cbebf0bed0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3420
    • C:\UserDotII\abodec.exe
      C:\UserDotII\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBRC\optixloc.exe

    Filesize

    2.6MB

    MD5

    d26be5f3b8f446c70ff11eb01baa8022

    SHA1

    89a5945806763016c0f5c15d82827d790f77e2c8

    SHA256

    343198744c9cf61999473b98bd5145009d23ed0206c0d6c5f97435faf02d445c

    SHA512

    e7d5fc4d4b56dc91fa19ff9c25fa378351f827ae2edbb854d5eea7b30a019d4b8b2137c7a5692faf711522b688af71ac7cc8a9c530ee281447b2ca7e12adaaa4

  • C:\KaVBRC\optixloc.exe

    Filesize

    2.6MB

    MD5

    9b9d4376823e8b1597ac990305938db4

    SHA1

    bb9473cad80dc92d766e711650c9fe8754fc6451

    SHA256

    a518e61f39a53bfff2862cf6eedfe43d1687d3afb93b1ac8cda90d4555436aeb

    SHA512

    f97af633f5e937f78ba970d7476dd0467e9c45ee4ef022f646ba008ee8b72952a1cf31c1893b4cb15f54d4de1c89cdf9e19c582661c5651ed10aabb8d36a073d

  • C:\UserDotII\abodec.exe

    Filesize

    2.6MB

    MD5

    71031bd1795f6dba7bc1e0fac75d0676

    SHA1

    377e82f28135e8adfea4a4544d37b5726c48a871

    SHA256

    e74372309bcf1402dbaa8404598b2a7087c0fff45884c48fe07df79137f6db72

    SHA512

    fa945aefa2c668d177e8a4994bb64e520200f6ea9bb6dea278500f396a45371dc110dcaa1d1c8767a87377edabbee0d71e6c006a32b1ff20f005a7bf3a5f3430

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    7b7426f3c1aabc68316b23ae295425af

    SHA1

    b41b91b9cb9cff9a0ed1095236233b232a02eb6a

    SHA256

    c4d534f675928ab244dfa9cd3f8328e8ac1c08cd28216e78106205ba68d915dd

    SHA512

    c21243ce7f22d87279741a25467d09a73eb9fc6e5afe34d0bf78d990b6768f3c53761fe37bac9bb62f6c27fe2166727506be02f7f6e2b46eb9667e5252146316

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    2cb720d83b7252983524eafa54b288b9

    SHA1

    46bdbe4001f39718908b1c0d80bb5924550e4edc

    SHA256

    3b323139fc52500240c6de22c74444facb5c12a01d49622b742d8eb0bdf0e10c

    SHA512

    816dba094e3eb23e130b82b8836481f90abe22d02658616404fe7ecb4556e3f30f2a0afd429d4d18427fdb51a50257858e42bfd5372b8420b071631ec2be685d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    89f6b071a6db70e059ee99a129f15027

    SHA1

    71379e3f639c52307c438f59a6ad06f4228c35fd

    SHA256

    b27f9b73b188e09464b6efabdd9ce56606fe6497e3e44228ad07e6e874d2a675

    SHA512

    d6110870bdc0d21c80d3d1268fae93f6345d64576586f98c4c5387a88c420e46a8ecbe6eb1b89c1b9f3333210e5d6738852abbda7afa4cbda33b03cb2ac266d1