Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
-
Size
3.1MB
-
MD5
78d28f8d486d3dcbb25d5c0a1868e5b0
-
SHA1
21190661240cc5803c32dd4c2c8bf501eb715388
-
SHA256
9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf
-
SHA512
3b4de1a63f3e32fcc7b1644ff57113b41b6fa072bd2e17d4da0029b2bc6a13b26b58c908a23a50625f1cf7351b4ffa49377f12f1a3c9036f43b2b98f81fd5069
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Su+LNfej:+R0pI/IQlUoMPdmpSpR4JkNfej
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Admin( -
Executes dropped EXE 2 IoCs
pid Process 2440 devoptiloc.exe 4892 Admin( -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBM\\devoptiloc.exe" 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAL\\bodxsys.exe" 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admin( Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4092 ipconfig.exe 876 NETSTAT.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin( <<-@-(;-95:3(5\>;?;2@(#5:0;C?(@->@�1:A(>;3>-9?(@->@A<(sysabod.exe 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe 4892 Admin( 4892 Admin( 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 2440 devoptiloc.exe 2440 devoptiloc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 876 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2440 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 89 PID 1628 wrote to memory of 2440 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 89 PID 1628 wrote to memory of 2440 1628 78d28f8d486d3dcbb25d5c0a1868e5b0N.exe 89 PID 2440 wrote to memory of 4892 2440 devoptiloc.exe 94 PID 2440 wrote to memory of 4892 2440 devoptiloc.exe 94 PID 2440 wrote to memory of 4892 2440 devoptiloc.exe 94 PID 4892 wrote to memory of 864 4892 Admin( 109 PID 4892 wrote to memory of 864 4892 Admin( 109 PID 4892 wrote to memory of 864 4892 Admin( 109 PID 4892 wrote to memory of 4036 4892 Admin( 111 PID 4892 wrote to memory of 4036 4892 Admin( 111 PID 4892 wrote to memory of 4036 4892 Admin( 111 PID 4892 wrote to memory of 3840 4892 Admin( 113 PID 4892 wrote to memory of 3840 4892 Admin( 113 PID 4892 wrote to memory of 3840 4892 Admin( 113 PID 864 wrote to memory of 4092 864 cmd.exe 115 PID 864 wrote to memory of 4092 864 cmd.exe 115 PID 864 wrote to memory of 4092 864 cmd.exe 115 PID 4036 wrote to memory of 876 4036 cmd.exe 116 PID 4036 wrote to memory of 876 4036 cmd.exe 116 PID 4036 wrote to memory of 876 4036 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe"C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\FilesBM\devoptiloc.exeC:\FilesBM\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin(C:\Users\Admin(3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\ipconfig.exeipconfig5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -a5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list4⤵
- System Location Discovery: System Language Discovery
PID:3840
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ffe0db4aa7bd4d8482f4f00ff411978d
SHA1908743af229718b9d56dbd7b916bf8326b468417
SHA2561ddd266a38bc843e807afc0bdc1f268bae28ff2a40d36dbb9ee7cc8c5979a714
SHA5129887b2aa218137a3b177ae2dd109d4e8de2bf75535bb0ac827f83020e177afd7923726f7345b0803b5c18416d18533267d39b2cce272c40d835548b695eb8340
-
Filesize
3.1MB
MD59209b85670727f7e3ae46e2dba774d51
SHA15f703b19e0dbac405e7122821ce685d264318437
SHA256aa2da74beaa0861c9d3072ab95a00d329f8f5dd20d7c4a93240d56b6f8a7847c
SHA5124819c8c2d458847d61f91146324af3df0f29f9dc9ed435fdc7ef42dd633a96ecb4a0a886bb3ff747d63f4a10cd19c9525a83818076f537b3ea32bf10b8005a6a
-
Filesize
3.1MB
MD5abae4afb0a28b65cdb8e92a01e518493
SHA14e8f884773879949433e6ef147d7b24c56385066
SHA25607583a710ecf9e8c38dac9c37fc4cdbcc66b604102ec8c571d47c2edd300d0ff
SHA512ce044b5236f8acfbb9a1e06e8127db62f762767de130d993c26feb8e73783c701393ade71c04c80390f269ca4727701beaa08d31887308c02679ec97da5108f9
-
Filesize
3.1MB
MD51da2fca19a540853fcfc9a4ce3c4bf51
SHA1b46f495cb395e659970300b76235724f2349e231
SHA2564b512da841e405c9fe671ddd671d5a1699494ee718c02fe419f46be1ec198f5b
SHA5126a4e5a62982efd285634fbff7af40d884adfc1b8be003d45fb79f6504bebf8e1ee4727c9960099549c04ae1e17def0d8f6a956c4c3a252fad8d30e79426743af
-
Filesize
205B
MD592311f32612c1ec4162be2f16245ddd5
SHA1f1e18fae6cf2e630df7efdb8b47f63e887993d10
SHA256794f66a62514694ecce56ccd6e591e19da749eb11cd1aa245e94a9060d7d64ed
SHA51236b49b7b1b48e5d2be2da3c2904186f1fa8ff39202f98088defbd597bc1582586f88b818a54f008c1b925a4466525fd10e26eec5bb3101b328ff3e6c0b2fc1c4
-
Filesize
203B
MD5c6677e67d79385534f13f7f358724bdc
SHA194283b49a8d777a2ac967b3f38c1530ba7ee39d4
SHA25604605c5cd9ce3060e11de4a407b45de24f74085d2107ef3693cecbf6ab2b4e5a
SHA512ca9c6c208ef60cba1fdd8eeda5fa56b6966999ad8ef1f9e6e6e12766cca00a2b9fb9fa5d394bd651fbbe63075b6664574ca18da58ec9a5240f40ea7d335ffd5b