Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 11:03

General

  • Target

    af6cf529b58b24e3ffb4fea5dccc8c50N.exe

  • Size

    3.0MB

  • MD5

    af6cf529b58b24e3ffb4fea5dccc8c50

  • SHA1

    df69c48d5927c343d2f16117057f14431a34a01c

  • SHA256

    d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca

  • SHA512

    14db2ea9f7cab422b9eef482d260e5f3e90ad093c45c148131acc73a8100a154554b6114b74140c751fcda11edd3c1ccaf34d7629bd2704c42924c548cd37025

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe
    "C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2900
    • C:\UserDotJ0\devbodec.exe
      C:\UserDotJ0\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZ2X\dobxsys.exe

    Filesize

    712KB

    MD5

    f2cf19231c05701b63f91e4d59326c25

    SHA1

    270c933bbc8c79018f07650389641b98b61f84af

    SHA256

    3612122bdb571d1da4daabfe35eb6200d1ec7a37058955d7a8a368256c16ff9a

    SHA512

    5f1de4f1048efcc70644a12d980acc024865774660d0491a3d469cee8ff731160d3401db0a2040ffd38d421bdb86cb697627dcd7c377a870a1c55776e2bbcdf7

  • C:\LabZ2X\dobxsys.exe

    Filesize

    3.0MB

    MD5

    7a637b2905bffc3183f8df138b64afb7

    SHA1

    8df01e42d9c4b5c500edc6c999b4fec02ffc39ad

    SHA256

    eeb22202e91e289d63f26971abccdcac45c47b413a2d42cbffcdfd2915bd6e9a

    SHA512

    0bff087901c0390ee1967ac6a2fd626221acc61353b35b64743e36c237910fa9b06fd44bc3887271010bb506bc5dd130c8b3db92ce54529745d1fb16f98cc041

  • C:\UserDotJ0\devbodec.exe

    Filesize

    1.6MB

    MD5

    fb8cb713170f82d1ba0d178d058ae9f7

    SHA1

    5fe00c71eacbea18965daf87ed31ceb5175e70fc

    SHA256

    e8e6831070ece8d53127127370449420aeda45f3a16d1b3dbf0c2a991f4541b7

    SHA512

    85c9ede97275f440989239f2c2f84015b56150660c63f65dd4a4438bd5b602c31831df66746485d0fcb79951a405498861f63f4627155f852dd4866bd26c4cf1

  • C:\UserDotJ0\devbodec.exe

    Filesize

    3.0MB

    MD5

    f48af59fc74f1e8b1cc9de5a135c6841

    SHA1

    f73ccfa2d2cb727bfc408b28f3f1e43e4e084adf

    SHA256

    5c4b6618f3c0408c12b2e122a0a3daefdef73bd74e69a61927c621644bbf2450

    SHA512

    0f358678d4f826bda9cacce8bb806095e7857f50ece311d84c1d87ec5fda9bf15db170414fb295d18cb6e1070ac2be45c0e9b84d8c2ef75482354652b9976a33

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    5b170c3cc4c976b852d4ea8252ba9324

    SHA1

    c55763f961348a024398ac932e1ab63a7814d43e

    SHA256

    7fc890d14638de9e416af19fbc5d8c95db2082d8fcd6649e58e8e44bbd92f8d5

    SHA512

    c8009253bd6a94436f27fc3d05ca5399e9cf06ae08af1ea8f249b87bb4f43275de4bfb2a8f4190ed35d3aabbafd68213920c19db651303db0c8837b5525cc03e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    a860ccc81d469d9e49dff53af30b91b6

    SHA1

    99ffc4d680f2475b8e011233e57c82ba1457aa22

    SHA256

    1867235cfa6de059490531b8cf3439d4af02cfa2a5576fe25bb8b945aa8b7877

    SHA512

    edde4d26d0d1eb3a4b5313e912beff28d2374b10575dc6dd8af1d79f7f0c1da540ad1a05ef39b828a553b538027cea155c419457e7b217b42e67456075f3ab74

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    3.0MB

    MD5

    97db302f06eda310f4bbc75d2d0aae7e

    SHA1

    b2a0d2541e198aabc7f3d9b633e12b340012585b

    SHA256

    f7dd405da97dfb8e6f400227fbb5669b4dabd939268fce5798db101972f5c20f

    SHA512

    9289e1b8c3260c60346d3c67af98b93a2d21f0684c89f738605922c046d6003104f943e10c232bd24b320f8300441dcaa87ace9a496e68c66254a10998ada4dd