Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Resource
win10v2004-20240802-en
General
-
Target
af6cf529b58b24e3ffb4fea5dccc8c50N.exe
-
Size
3.0MB
-
MD5
af6cf529b58b24e3ffb4fea5dccc8c50
-
SHA1
df69c48d5927c343d2f16117057f14431a34a01c
-
SHA256
d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca
-
SHA512
14db2ea9f7cab422b9eef482d260e5f3e90ad093c45c148131acc73a8100a154554b6114b74140c751fcda11edd3c1ccaf34d7629bd2704c42924c548cd37025
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe af6cf529b58b24e3ffb4fea5dccc8c50N.exe -
Executes dropped EXE 2 IoCs
pid Process 2900 ecdevbod.exe 2708 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2X\\dobxsys.exe" af6cf529b58b24e3ffb4fea5dccc8c50N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ0\\devbodec.exe" af6cf529b58b24e3ffb4fea5dccc8c50N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af6cf529b58b24e3ffb4fea5dccc8c50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe 2900 ecdevbod.exe 2900 ecdevbod.exe 2708 devbodec.exe 2708 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2900 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 91 PID 2636 wrote to memory of 2900 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 91 PID 2636 wrote to memory of 2900 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 91 PID 2636 wrote to memory of 2708 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 93 PID 2636 wrote to memory of 2708 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 93 PID 2636 wrote to memory of 2708 2636 af6cf529b58b24e3ffb4fea5dccc8c50N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe"C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
C:\UserDotJ0\devbodec.exeC:\UserDotJ0\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD5f2cf19231c05701b63f91e4d59326c25
SHA1270c933bbc8c79018f07650389641b98b61f84af
SHA2563612122bdb571d1da4daabfe35eb6200d1ec7a37058955d7a8a368256c16ff9a
SHA5125f1de4f1048efcc70644a12d980acc024865774660d0491a3d469cee8ff731160d3401db0a2040ffd38d421bdb86cb697627dcd7c377a870a1c55776e2bbcdf7
-
Filesize
3.0MB
MD57a637b2905bffc3183f8df138b64afb7
SHA18df01e42d9c4b5c500edc6c999b4fec02ffc39ad
SHA256eeb22202e91e289d63f26971abccdcac45c47b413a2d42cbffcdfd2915bd6e9a
SHA5120bff087901c0390ee1967ac6a2fd626221acc61353b35b64743e36c237910fa9b06fd44bc3887271010bb506bc5dd130c8b3db92ce54529745d1fb16f98cc041
-
Filesize
1.6MB
MD5fb8cb713170f82d1ba0d178d058ae9f7
SHA15fe00c71eacbea18965daf87ed31ceb5175e70fc
SHA256e8e6831070ece8d53127127370449420aeda45f3a16d1b3dbf0c2a991f4541b7
SHA51285c9ede97275f440989239f2c2f84015b56150660c63f65dd4a4438bd5b602c31831df66746485d0fcb79951a405498861f63f4627155f852dd4866bd26c4cf1
-
Filesize
3.0MB
MD5f48af59fc74f1e8b1cc9de5a135c6841
SHA1f73ccfa2d2cb727bfc408b28f3f1e43e4e084adf
SHA2565c4b6618f3c0408c12b2e122a0a3daefdef73bd74e69a61927c621644bbf2450
SHA5120f358678d4f826bda9cacce8bb806095e7857f50ece311d84c1d87ec5fda9bf15db170414fb295d18cb6e1070ac2be45c0e9b84d8c2ef75482354652b9976a33
-
Filesize
204B
MD55b170c3cc4c976b852d4ea8252ba9324
SHA1c55763f961348a024398ac932e1ab63a7814d43e
SHA2567fc890d14638de9e416af19fbc5d8c95db2082d8fcd6649e58e8e44bbd92f8d5
SHA512c8009253bd6a94436f27fc3d05ca5399e9cf06ae08af1ea8f249b87bb4f43275de4bfb2a8f4190ed35d3aabbafd68213920c19db651303db0c8837b5525cc03e
-
Filesize
172B
MD5a860ccc81d469d9e49dff53af30b91b6
SHA199ffc4d680f2475b8e011233e57c82ba1457aa22
SHA2561867235cfa6de059490531b8cf3439d4af02cfa2a5576fe25bb8b945aa8b7877
SHA512edde4d26d0d1eb3a4b5313e912beff28d2374b10575dc6dd8af1d79f7f0c1da540ad1a05ef39b828a553b538027cea155c419457e7b217b42e67456075f3ab74
-
Filesize
3.0MB
MD597db302f06eda310f4bbc75d2d0aae7e
SHA1b2a0d2541e198aabc7f3d9b633e12b340012585b
SHA256f7dd405da97dfb8e6f400227fbb5669b4dabd939268fce5798db101972f5c20f
SHA5129289e1b8c3260c60346d3c67af98b93a2d21f0684c89f738605922c046d6003104f943e10c232bd24b320f8300441dcaa87ace9a496e68c66254a10998ada4dd