Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
b1440106da82fa1a98020be948cab990N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b1440106da82fa1a98020be948cab990N.exe
Resource
win10v2004-20240802-en
General
-
Target
b1440106da82fa1a98020be948cab990N.exe
-
Size
2.6MB
-
MD5
b1440106da82fa1a98020be948cab990
-
SHA1
862fd6505c7c365e2cd9285bcb50c3e08ee9d21f
-
SHA256
fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721
-
SHA512
20d48a5b0ac20f10b113cad79972677f3a1f4b8d844b55c0c458a48e3943f65094937275ad44fb3895df9f2b7bf6edf5236acf6fcc80316210ab90a396372c49
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpub
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe b1440106da82fa1a98020be948cab990N.exe -
Executes dropped EXE 2 IoCs
pid Process 1096 locdevbod.exe 3968 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUB\\devbodsys.exe" b1440106da82fa1a98020be948cab990N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLJ\\dobxloc.exe" b1440106da82fa1a98020be948cab990N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1440106da82fa1a98020be948cab990N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2764 b1440106da82fa1a98020be948cab990N.exe 2764 b1440106da82fa1a98020be948cab990N.exe 2764 b1440106da82fa1a98020be948cab990N.exe 2764 b1440106da82fa1a98020be948cab990N.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe 1096 locdevbod.exe 1096 locdevbod.exe 3968 devbodsys.exe 3968 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2764 wrote to memory of 1096 2764 b1440106da82fa1a98020be948cab990N.exe 87 PID 2764 wrote to memory of 1096 2764 b1440106da82fa1a98020be948cab990N.exe 87 PID 2764 wrote to memory of 1096 2764 b1440106da82fa1a98020be948cab990N.exe 87 PID 2764 wrote to memory of 3968 2764 b1440106da82fa1a98020be948cab990N.exe 88 PID 2764 wrote to memory of 3968 2764 b1440106da82fa1a98020be948cab990N.exe 88 PID 2764 wrote to memory of 3968 2764 b1440106da82fa1a98020be948cab990N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe"C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1096
-
-
C:\AdobeUB\devbodsys.exeC:\AdobeUB\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5661187bf6b204d76c0b8bda56e9db3c0
SHA157828b5a62b6b425585bc0b71078f8553511c8ba
SHA2565f0c2900ccc921ff761e2e13777d63c0ce575b3548f201c6410b6f9e6f3ba3ec
SHA51214f1b07fa7ccfe0b3f6b9362b209fd577a5ab43ce4ce3cdc9df94fa44ecded8c5881ae9a44a0878b34992e8c5e7fd3e74d80de7a98a6e756751da2cf670a44b8
-
Filesize
2.6MB
MD5f6a4c19c226c4816d64c02f8590254ff
SHA12d74fc05ea17ca769aa419b6b64c92b8a3c959b1
SHA256e0a2c8af1c463fc02749e737c536de4091d91cf48701b20ff4be0e043b5060aa
SHA5127dbb2259b0392166c9ad173fddf56e95772fccb4c932d9fd0a464796e0b455aa63e8fb9d0b25bf3fe3f9605e2c50a406cfaa3a2dec619c53ab5e3e745c16fd2e
-
Filesize
203B
MD5d296d41d8ff7a135895d19c8abfedd97
SHA1f48df39fddf8e712c84ad53731be13965d725750
SHA25613bc07f8946f76e909deed0d11d460a1f5c1ccc41d29169518a8761c335c1d65
SHA512578d3c92d0f89f866ad599645c6c119acebe186f69eaf01e70a7dd7e4631a27b73714122d8d8d077d0a04dd10945165265063d9afed547f18c2b096af3b57ffe
-
Filesize
171B
MD510436f587aa039fdd728a6684e8fcd58
SHA1bbe12ef2c99d34d6e7c17fc97addf822fd3683b4
SHA25619d7a5b088c981ab9c0bf03bf2b190349042b3d94cedd26ba805c05737e03e5e
SHA512e4431d61e84de7e62d7ec5b2dac6797e03f342066862036cdf6be742025d2007717082b19b1ac250356f7fc76c4e620c86aab357d365e5621ae5bd7480a40887
-
Filesize
2.6MB
MD536019264ad4cdcccbd8c4747db30afb2
SHA1deacb3452c688f479866002e91b13e5898a6c1f2
SHA2561943e923f662d7f6da3a4ce3bf61bebfa28afce4a9239588e3ff4707f3b4cc72
SHA5124073b6984b3c922d244b3a7acd9ee3cb5baaba4017bcf91d7619eff5de4d3b49e73e511aa6477e5c557b9c338de73c5487a446667f80364d9946c3a4c0356aef
-
Filesize
274KB
MD54bd33c47cfce1680c77f17e981cac1c8
SHA13397c0cc1a6e0c8dd6668c4bb278f518f46b1aa9
SHA256d2ad3ab4b58819d420c930f586893556b9f2e1da195bed3aec6427e5cd9cddc0
SHA512e7b345176ccbc686d8920d67e046020e5baa62c31c49128274b29af3eaa8ce5981d974e05030b9bddae6ead7f09927e68400330de3d9519f89a171c27e3884ce
-
Filesize
2.6MB
MD5fc444da6868ae7cfd67c0d5dd570f0f7
SHA154e280636fcc268d8a35cbcc0922bd7719429ce2
SHA256f2325a2ae956139486a18ee7415bccb118b513961c5b08187bc8cb703dfe7db3
SHA512bc7f5b67b8d62efb5a8fd83839b0efa9b7b0cf44e23e71edd2a19de370db413a53369464f5981bbf0736b353f01f9e66aa4cfa392a78ca268143f45ea588fd97