Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
10b6e821e9a2b645f25c1ba0ce250f40N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
10b6e821e9a2b645f25c1ba0ce250f40N.exe
Resource
win10v2004-20240802-en
General
-
Target
10b6e821e9a2b645f25c1ba0ce250f40N.exe
-
Size
4.1MB
-
MD5
10b6e821e9a2b645f25c1ba0ce250f40
-
SHA1
5888930755f20a01dcb04851018e246ae750816f
-
SHA256
15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c
-
SHA512
a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 10b6e821e9a2b645f25c1ba0ce250f40N.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 ecdevopti.exe 2752 xdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEL\\xdobloc.exe" 10b6e821e9a2b645f25c1ba0ce250f40N.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid29\\dobxsys.exe" 10b6e821e9a2b645f25c1ba0ce250f40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10b6e821e9a2b645f25c1ba0ce250f40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe 2080 ecdevopti.exe 2080 ecdevopti.exe 2752 xdobloc.exe 2752 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2080 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 87 PID 2748 wrote to memory of 2080 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 87 PID 2748 wrote to memory of 2080 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 87 PID 2748 wrote to memory of 2752 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 88 PID 2748 wrote to memory of 2752 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 88 PID 2748 wrote to memory of 2752 2748 10b6e821e9a2b645f25c1ba0ce250f40N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\UserDotEL\xdobloc.exeC:\UserDotEL\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b1389e5bde605c880ab56c787e32553c
SHA1b4efd8fd520fcf45578a42fa5628367adb188c7c
SHA256dcbbb7e63a04d41a68f628674663072deaed1ad41a39572abc66ccfa5a5766c2
SHA5128ce855795b2596398d3a9e372e957fd307443014d6deaefc36285255401a3a6d7be94eddf396d8c4d21269a888cb48250823525fd206d6dae4482849bda59a29
-
Filesize
203B
MD5f1feeac7cd711c819af751c3b9a6ccca
SHA1daea65a669a10e57fd0d63d25b1360af40f2dc8e
SHA256b84c4bbfe2488f41850cac7e370abf9e78499a77bab8e4057b31ae1e712093de
SHA51223aefa7ef2ddc149beed3333df50663fb9c6b937e46406832d946b4def40ec88fd66e4f1051113696888a2760283a3e1aeabd2992bbd466f3701b7ae5378c0b7
-
Filesize
171B
MD550ffe84acadddf7bd0188bb54036cd4c
SHA18bb9a24f03bd9d890fa4e136acb7656231e01736
SHA25601a94194725a9bdc9542f8783d009ffe014a31172189f6966d7077967067cea9
SHA51216a34ecc0765387dea79a27c14fe54d15963d2493ac67278804265611972fbd5736034729b5c1ff3472ee4cdf32828becba0af943540f6a1165d3b1f2272a8e7
-
Filesize
4.1MB
MD558dad0be80378537d87f7a3bfa08389c
SHA183dd5a9f885286a6833c62d857873381918f413c
SHA256dbc6425fbacbbccacfdf706f2af253c694cbec6003f8889bf065b15a16c96b77
SHA51200cccdc249b8ac54d8eec56676283162fc7c63c8240b9d74fba4ca8250092bd6005e612db29792b323941f7266abbbf9b3ca8ba16f507ce12f5d4eba89653754
-
Filesize
478KB
MD5c63848866215c225285289a4cb925349
SHA1bd26bbc7d160701fcf45dee8dc11b80cd9186713
SHA2568992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56
SHA51280389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74
-
Filesize
4.1MB
MD526134446f5b5cce2de8b1967240ec3a8
SHA111b7f6272f68153a441830501642c48d72dbfcbc
SHA25617acb8dc7a669fc4d87334d6d6b0e36f52470b7412daaf591c86838a745d2070
SHA5122a2e7dca8224a1ed9ea857cb783b6a173c0aa1ad51c4a2c4c2e5d8eab3627df7e5dbf4e6672bf1f0a4d629ec36b5ad701afe7df36b3f273aa4a028e19594aa7e