Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 21:57

General

  • Target

    4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe

  • Size

    2.6MB

  • MD5

    4f9e62b641b82463c2d09941131abb83

  • SHA1

    d7c1a9c10178bbdededb32e5d92cebdc3a5e6acc

  • SHA256

    4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92

  • SHA512

    e2468c8a336003e7121545196a144096190c69f39fa15af0abd62a592666db1522522053f9401e4657e4132d302aab365938ef7024148606f91cc5e06d76689a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe
    "C:\Users\Admin\AppData\Local\Temp\4570eff0d1d92560081b7314ab36a8103e975a5b09b671c03045711fe71b7e92.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3436
    • C:\Files54\abodsys.exe
      C:\Files54\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files54\abodsys.exe

    Filesize

    2.6MB

    MD5

    c322f1f200e74465c40b6a1cc58eb732

    SHA1

    04e178021c14da4d2de4418cb50099508e58c9c6

    SHA256

    0468c85d7066c54cfedb342784c352875e378b7b42391ff0bec2fe7fa2bbf4a1

    SHA512

    6934724bfb3e32661d03cdecb0d76e71fcb05eac763fa9e0ea23a94afc6bc884a1a356f43c98f67da25d9f3b8116cab7fca68481ab4f956502da2be8a9d71669

  • C:\LabZKP\optialoc.exe

    Filesize

    1.2MB

    MD5

    ddad73d4f787cbe13851c57d7a2663ae

    SHA1

    4693ea6d94291931689c00ebd0422d1c6f9e1f53

    SHA256

    4d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc

    SHA512

    191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab

  • C:\LabZKP\optialoc.exe

    Filesize

    19KB

    MD5

    d016b0ad254ae9664284c6bec29c5ba6

    SHA1

    7ae5e9559a1832a9fb2100c1032f300c8dc78e9e

    SHA256

    7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374

    SHA512

    c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    205f4f2818d82fdbff67fbdaa8922d9f

    SHA1

    0f9988c720c55399a7b7f83f80266084f0c9c115

    SHA256

    262d3b48aa79d96eca5f8508ae99161e022bf8c78b992fbee586e4ed4821ec1b

    SHA512

    37896cb9c230a6a345b389bd69f6034ede87dfdc1e230ad991dd45e5270326cdfa8c1f84819516e7836d91046233926b49d964a62a74ff0fa31f19df352f0a9a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    093e212c2bf33e985cb1fa9a76bdf9e2

    SHA1

    269fd9d0a7fbbe77b8015a0f7eef99a1e68b5430

    SHA256

    a48e2ed127cf169d96da0fdf3f23e2f61354fecec6b0cc5e558afd60ff3321ba

    SHA512

    d107a1753334c11b39f17b97c6ca1716767c69340faf1509e7e8f095076a22b652fa2eb62c265950d78c39e3557ab6cd9628cc624a4959b3fca14033b25ebaa7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    27d56da6f39efbde56cff32b505bbeab

    SHA1

    c17e8338aedab12c51e66d7faed8a3a639e2ee09

    SHA256

    db09c80a7c8e3620f14d879c7489a02f6bf49b1bb0bca2a0cba71e14e346a87e

    SHA512

    60ff9f99128737d5d20fa9b27625f5cdd2f9f45cfc1cd00409134b0dff2fa51339c2d23bfa14104f014b2b0c4478e71ff65f0224ccd3b5c82e42225b7a009268