Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 06:22

General

  • Target

    10b6e821e9a2b645f25c1ba0ce250f40N.exe

  • Size

    4.1MB

  • MD5

    10b6e821e9a2b645f25c1ba0ce250f40

  • SHA1

    5888930755f20a01dcb04851018e246ae750816f

  • SHA256

    15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c

  • SHA512

    a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe
    "C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2080
    • C:\UserDotEL\xdobloc.exe
      C:\UserDotEL\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotEL\xdobloc.exe

    Filesize

    4.1MB

    MD5

    b1389e5bde605c880ab56c787e32553c

    SHA1

    b4efd8fd520fcf45578a42fa5628367adb188c7c

    SHA256

    dcbbb7e63a04d41a68f628674663072deaed1ad41a39572abc66ccfa5a5766c2

    SHA512

    8ce855795b2596398d3a9e372e957fd307443014d6deaefc36285255401a3a6d7be94eddf396d8c4d21269a888cb48250823525fd206d6dae4482849bda59a29

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    f1feeac7cd711c819af751c3b9a6ccca

    SHA1

    daea65a669a10e57fd0d63d25b1360af40f2dc8e

    SHA256

    b84c4bbfe2488f41850cac7e370abf9e78499a77bab8e4057b31ae1e712093de

    SHA512

    23aefa7ef2ddc149beed3333df50663fb9c6b937e46406832d946b4def40ec88fd66e4f1051113696888a2760283a3e1aeabd2992bbd466f3701b7ae5378c0b7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    50ffe84acadddf7bd0188bb54036cd4c

    SHA1

    8bb9a24f03bd9d890fa4e136acb7656231e01736

    SHA256

    01a94194725a9bdc9542f8783d009ffe014a31172189f6966d7077967067cea9

    SHA512

    16a34ecc0765387dea79a27c14fe54d15963d2493ac67278804265611972fbd5736034729b5c1ff3472ee4cdf32828becba0af943540f6a1165d3b1f2272a8e7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    4.1MB

    MD5

    58dad0be80378537d87f7a3bfa08389c

    SHA1

    83dd5a9f885286a6833c62d857873381918f413c

    SHA256

    dbc6425fbacbbccacfdf706f2af253c694cbec6003f8889bf065b15a16c96b77

    SHA512

    00cccdc249b8ac54d8eec56676283162fc7c63c8240b9d74fba4ca8250092bd6005e612db29792b323941f7266abbbf9b3ca8ba16f507ce12f5d4eba89653754

  • C:\Vid29\dobxsys.exe

    Filesize

    478KB

    MD5

    c63848866215c225285289a4cb925349

    SHA1

    bd26bbc7d160701fcf45dee8dc11b80cd9186713

    SHA256

    8992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56

    SHA512

    80389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74

  • C:\Vid29\dobxsys.exe

    Filesize

    4.1MB

    MD5

    26134446f5b5cce2de8b1967240ec3a8

    SHA1

    11b7f6272f68153a441830501642c48d72dbfcbc

    SHA256

    17acb8dc7a669fc4d87334d6d6b0e36f52470b7412daaf591c86838a745d2070

    SHA512

    2a2e7dca8224a1ed9ea857cb783b6a173c0aa1ad51c4a2c4c2e5d8eab3627df7e5dbf4e6672bf1f0a4d629ec36b5ad701afe7df36b3f273aa4a028e19594aa7e