Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 22:00

General

  • Target

    78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

  • Size

    3.1MB

  • MD5

    78d28f8d486d3dcbb25d5c0a1868e5b0

  • SHA1

    21190661240cc5803c32dd4c2c8bf501eb715388

  • SHA256

    9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf

  • SHA512

    3b4de1a63f3e32fcc7b1644ff57113b41b6fa072bd2e17d4da0029b2bc6a13b26b58c908a23a50625f1cf7351b4ffa49377f12f1a3c9036f43b2b98f81fd5069

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Su+LNfej:+R0pI/IQlUoMPdmpSpR4JkNfej

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\FilesBM\devoptiloc.exe
      C:\FilesBM\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin(
        C:\Users\Admin(
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:4092
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4036
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -a
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:876
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesBM\devoptiloc.exe

    Filesize

    3.1MB

    MD5

    ffe0db4aa7bd4d8482f4f00ff411978d

    SHA1

    908743af229718b9d56dbd7b916bf8326b468417

    SHA256

    1ddd266a38bc843e807afc0bdc1f268bae28ff2a40d36dbb9ee7cc8c5979a714

    SHA512

    9887b2aa218137a3b177ae2dd109d4e8de2bf75535bb0ac827f83020e177afd7923726f7345b0803b5c18416d18533267d39b2cce272c40d835548b695eb8340

  • C:\LabZAL\bodxsys.exe

    Filesize

    3.1MB

    MD5

    9209b85670727f7e3ae46e2dba774d51

    SHA1

    5f703b19e0dbac405e7122821ce685d264318437

    SHA256

    aa2da74beaa0861c9d3072ab95a00d329f8f5dd20d7c4a93240d56b6f8a7847c

    SHA512

    4819c8c2d458847d61f91146324af3df0f29f9dc9ed435fdc7ef42dd633a96ecb4a0a886bb3ff747d63f4a10cd19c9525a83818076f537b3ea32bf10b8005a6a

  • C:\LabZAL\bodxsys.exe

    Filesize

    3.1MB

    MD5

    abae4afb0a28b65cdb8e92a01e518493

    SHA1

    4e8f884773879949433e6ef147d7b24c56385066

    SHA256

    07583a710ecf9e8c38dac9c37fc4cdbcc66b604102ec8c571d47c2edd300d0ff

    SHA512

    ce044b5236f8acfbb9a1e06e8127db62f762767de130d993c26feb8e73783c701393ade71c04c80390f269ca4727701beaa08d31887308c02679ec97da5108f9

  • C:\Users\Admin(

    Filesize

    3.1MB

    MD5

    1da2fca19a540853fcfc9a4ce3c4bf51

    SHA1

    b46f495cb395e659970300b76235724f2349e231

    SHA256

    4b512da841e405c9fe671ddd671d5a1699494ee718c02fe419f46be1ec198f5b

    SHA512

    6a4e5a62982efd285634fbff7af40d884adfc1b8be003d45fb79f6504bebf8e1ee4727c9960099549c04ae1e17def0d8f6a956c4c3a252fad8d30e79426743af

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    92311f32612c1ec4162be2f16245ddd5

    SHA1

    f1e18fae6cf2e630df7efdb8b47f63e887993d10

    SHA256

    794f66a62514694ecce56ccd6e591e19da749eb11cd1aa245e94a9060d7d64ed

    SHA512

    36b49b7b1b48e5d2be2da3c2904186f1fa8ff39202f98088defbd597bc1582586f88b818a54f008c1b925a4466525fd10e26eec5bb3101b328ff3e6c0b2fc1c4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    c6677e67d79385534f13f7f358724bdc

    SHA1

    94283b49a8d777a2ac967b3f38c1530ba7ee39d4

    SHA256

    04605c5cd9ce3060e11de4a407b45de24f74085d2107ef3693cecbf6ab2b4e5a

    SHA512

    ca9c6c208ef60cba1fdd8eeda5fa56b6966999ad8ef1f9e6e6e12766cca00a2b9fb9fa5d394bd651fbbe63075b6664574ca18da58ec9a5240f40ea7d335ffd5b