Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 21:02

General

  • Target

    b1440106da82fa1a98020be948cab990N.exe

  • Size

    2.6MB

  • MD5

    b1440106da82fa1a98020be948cab990

  • SHA1

    862fd6505c7c365e2cd9285bcb50c3e08ee9d21f

  • SHA256

    fdf3dd27233c683d1eb40fa1e78235a9d7a47ea0042181f690d57241332ea721

  • SHA512

    20d48a5b0ac20f10b113cad79972677f3a1f4b8d844b55c0c458a48e3943f65094937275ad44fb3895df9f2b7bf6edf5236acf6fcc80316210ab90a396372c49

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpub

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe
    "C:\Users\Admin\AppData\Local\Temp\b1440106da82fa1a98020be948cab990N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1096
    • C:\AdobeUB\devbodsys.exe
      C:\AdobeUB\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeUB\devbodsys.exe

    Filesize

    82KB

    MD5

    661187bf6b204d76c0b8bda56e9db3c0

    SHA1

    57828b5a62b6b425585bc0b71078f8553511c8ba

    SHA256

    5f0c2900ccc921ff761e2e13777d63c0ce575b3548f201c6410b6f9e6f3ba3ec

    SHA512

    14f1b07fa7ccfe0b3f6b9362b209fd577a5ab43ce4ce3cdc9df94fa44ecded8c5881ae9a44a0878b34992e8c5e7fd3e74d80de7a98a6e756751da2cf670a44b8

  • C:\AdobeUB\devbodsys.exe

    Filesize

    2.6MB

    MD5

    f6a4c19c226c4816d64c02f8590254ff

    SHA1

    2d74fc05ea17ca769aa419b6b64c92b8a3c959b1

    SHA256

    e0a2c8af1c463fc02749e737c536de4091d91cf48701b20ff4be0e043b5060aa

    SHA512

    7dbb2259b0392166c9ad173fddf56e95772fccb4c932d9fd0a464796e0b455aa63e8fb9d0b25bf3fe3f9605e2c50a406cfaa3a2dec619c53ab5e3e745c16fd2e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    d296d41d8ff7a135895d19c8abfedd97

    SHA1

    f48df39fddf8e712c84ad53731be13965d725750

    SHA256

    13bc07f8946f76e909deed0d11d460a1f5c1ccc41d29169518a8761c335c1d65

    SHA512

    578d3c92d0f89f866ad599645c6c119acebe186f69eaf01e70a7dd7e4631a27b73714122d8d8d077d0a04dd10945165265063d9afed547f18c2b096af3b57ffe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    10436f587aa039fdd728a6684e8fcd58

    SHA1

    bbe12ef2c99d34d6e7c17fc97addf822fd3683b4

    SHA256

    19d7a5b088c981ab9c0bf03bf2b190349042b3d94cedd26ba805c05737e03e5e

    SHA512

    e4431d61e84de7e62d7ec5b2dac6797e03f342066862036cdf6be742025d2007717082b19b1ac250356f7fc76c4e620c86aab357d365e5621ae5bd7480a40887

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    36019264ad4cdcccbd8c4747db30afb2

    SHA1

    deacb3452c688f479866002e91b13e5898a6c1f2

    SHA256

    1943e923f662d7f6da3a4ce3bf61bebfa28afce4a9239588e3ff4707f3b4cc72

    SHA512

    4073b6984b3c922d244b3a7acd9ee3cb5baaba4017bcf91d7619eff5de4d3b49e73e511aa6477e5c557b9c338de73c5487a446667f80364d9946c3a4c0356aef

  • C:\VidLJ\dobxloc.exe

    Filesize

    274KB

    MD5

    4bd33c47cfce1680c77f17e981cac1c8

    SHA1

    3397c0cc1a6e0c8dd6668c4bb278f518f46b1aa9

    SHA256

    d2ad3ab4b58819d420c930f586893556b9f2e1da195bed3aec6427e5cd9cddc0

    SHA512

    e7b345176ccbc686d8920d67e046020e5baa62c31c49128274b29af3eaa8ce5981d974e05030b9bddae6ead7f09927e68400330de3d9519f89a171c27e3884ce

  • C:\VidLJ\dobxloc.exe

    Filesize

    2.6MB

    MD5

    fc444da6868ae7cfd67c0d5dd570f0f7

    SHA1

    54e280636fcc268d8a35cbcc0922bd7719429ce2

    SHA256

    f2325a2ae956139486a18ee7415bccb118b513961c5b08187bc8cb703dfe7db3

    SHA512

    bc7f5b67b8d62efb5a8fd83839b0efa9b7b0cf44e23e71edd2a19de370db413a53369464f5981bbf0736b353f01f9e66aa4cfa392a78ca268143f45ea588fd97