Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
b22d746c3f1a3d9dac251f7e782a1580N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b22d746c3f1a3d9dac251f7e782a1580N.exe
Resource
win10v2004-20240802-en
General
-
Target
b22d746c3f1a3d9dac251f7e782a1580N.exe
-
Size
2.6MB
-
MD5
b22d746c3f1a3d9dac251f7e782a1580
-
SHA1
3f367ea3cc2edec81797d822920dd4009248c613
-
SHA256
815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f
-
SHA512
cc7819cc7410db397956a3f5f6fbadafedd11f7a64ee12ac0014310fd0e80e1749de724ff3261dc7c715bd9680e198f9489a4b35b0bb27c0748113658ee8ad0f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe b22d746c3f1a3d9dac251f7e782a1580N.exe -
Executes dropped EXE 2 IoCs
pid Process 1700 locdevopti.exe 4132 devdobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYE\\devdobsys.exe" b22d746c3f1a3d9dac251f7e782a1580N.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMN\\bodasys.exe" b22d746c3f1a3d9dac251f7e782a1580N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b22d746c3f1a3d9dac251f7e782a1580N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe 1700 locdevopti.exe 1700 locdevopti.exe 4132 devdobsys.exe 4132 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4984 wrote to memory of 1700 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 90 PID 4984 wrote to memory of 1700 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 90 PID 4984 wrote to memory of 1700 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 90 PID 4984 wrote to memory of 4132 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 91 PID 4984 wrote to memory of 4132 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 91 PID 4984 wrote to memory of 4132 4984 b22d746c3f1a3d9dac251f7e782a1580N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe"C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\FilesYE\devdobsys.exeC:\FilesYE\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e024aa71d5a7bcf3743aa1278ea54158
SHA1568ce39602290c1c1f4df5f501bde36f12de15d4
SHA2568273fac3cace5f873ace2b66356cfb40aeb7175762c378b51e364eccfa880441
SHA512416373f5ac55009e2ae5f67a02e0c1540ec61f9cab1e9a254aff96c08910639e7070f052bbaf3b3fe7a3b15674bf27ede9156d2aeaa3ffe67e8d5d3219337bc7
-
Filesize
486KB
MD56dc09ff8e7f4ab13a820592a5f7f04c4
SHA10e0e4028103ac0fc41254bf6fefdbb2e4df4863c
SHA2564a1d1ffef3c6e03f9e16a27466bab645c482028fc3d94b3cde096af7c6aa61cc
SHA51267906cf3d867acd878a968f2df427755920a48354552f787aabb4f7b27197eeee9c2e14dd83ffa30a4f55a3f0c482c1c38f4a1095d0d0529348128191228c58f
-
Filesize
578KB
MD57441b8e33672eb6a5a89cad617bfd78d
SHA1cbf12e66ed6c48b84ab96277421f84a199c5e223
SHA256c99d80a01d527cecf5e9a01a70725bbb112f80898be59eaf6e2ff3f53c71b767
SHA512f944b381faca2f453cef53663fe34587a8bbbedadb2c0f2523e09b20ce4632f745a1eecbd58fec732e3f4e4c2f4382edc7070f1d884d98db3967edb4683fedff
-
Filesize
205B
MD5c06834c8fc59d86d0f818e3307c85d31
SHA1eba95899d59eaa27f4d5f2151b5c2fbb331231b9
SHA256f1913c56553a98b06ef8957dbadeb3939974da9608c3bc0b806285eb5a7a1dd2
SHA5120643c31908d6f462408f8c0318525d3f90b2960cb676017420b8a47c5018760c6ebc50f3a8e071005ca079f2ed22f9c54ee82338b74c74869563692ed3d27759
-
Filesize
173B
MD56319b43cae45e977557fa842b33c27ba
SHA1377e2b00fc629584ee3fa896e6dd7c37c5bd469e
SHA2563e445a6d1f5e571dd12128245339b833d339a8790bc6ffeeb7e8626b3d5435bc
SHA512a2d8909c3df45c2235d7c4386aa8e9658bce0bcd4861e4bdc7805272c81642edea58a901e858061b80b2b9021d03a640f4f7df9c028cb52bdf120e207a114a4f
-
Filesize
2.6MB
MD5e4d3a4ff7e228d79e05767933a5563b7
SHA191cf313bf455e64345d05b770f67444349172f1e
SHA2561e667b673e7b9e75c08e460676896895e26c58d9e16c4906bf3b61b10a8ac11c
SHA5129cf7fe2a3d9250a9b46018b8304eb5e5f72306448ef7085a997df28e7c97c9d942724489f3ff1d5157f0a49d2e2f66211bf934932f131b416ebc846d6371038c