Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Resource
win10v2004-20240802-en
General
-
Target
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
-
Size
2.6MB
-
MD5
cb8ad88571316a7c5db8c8bced8165cb
-
SHA1
cbb62a447ee5ab176cd4799cee7b8903baece1ce
-
SHA256
5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42
-
SHA512
01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe -
Executes dropped EXE 2 IoCs
pid Process 1004 sysdevbod.exe 1532 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRS\\devbodsys.exe" 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8T\\optixloc.exe" 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe 1004 sysdevbod.exe 1004 sysdevbod.exe 1532 devbodsys.exe 1532 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2848 wrote to memory of 1004 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 94 PID 2848 wrote to memory of 1004 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 94 PID 2848 wrote to memory of 1004 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 94 PID 2848 wrote to memory of 1532 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 95 PID 2848 wrote to memory of 1532 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 95 PID 2848 wrote to memory of 1532 2848 5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1004
-
-
C:\SysDrvRS\devbodsys.exeC:\SysDrvRS\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:81⤵PID:3736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59059a2a2250d3944d4e7fcec54b2600a
SHA1e13298c1ad23b8e4994e5cac29857e066aba0e02
SHA256218e133821d66c2b425b938a3421ebde11a2e29b95951ef00f5ae09d19725d0c
SHA5124f3f42db141bdd98b49e7677bdd7f9828adee147ce8d22ff473f17f39a37602fa91f9de60a19217b955d8eaf594c62fca49218fedc3775ebf77becc93840ec94
-
Filesize
205B
MD50c5922993aa9a33066f983bb8505d048
SHA15b3ef775a3153774a835197374f01c3e66788466
SHA256ff3eab90af51d5228e0d7278414d3828140a18ac3a9be0a478affb5f7c7ec016
SHA512de6f27dabe775c705f3409207e945ffa3a15ac795f713a53dd6052b73d440117b938c5e7b78364ec3ee50fa2bb44b6af5bb3c26d5ae4971b7d4301f44abd314d
-
Filesize
173B
MD5b4d4c7c9f08655b62e74e7fb3f256cfd
SHA17ba7e1881900b636b1ccee36ecb43ef7ec7b21b4
SHA256aa2f3e010ede160e8fefe26aabb87abaff44cd18eeb7a893faec3f19dfba26b5
SHA512e3cf2bf1c0737c5b3d8ae949fc68507420815315feaefb855d12312b798409982d2c90db5a90789b4c03cac2e385ea74cf2897be49e1322fca433e6f510dcaf6
-
Filesize
2.6MB
MD5c8894fc7f5b1338aa64d9eb0ab41626b
SHA157f172015e66048bc3e03cfe53455e93cc3be04e
SHA256166c97bddb8630809321e582528d02108a669d2c35309400ba75bf25a6bfc574
SHA5126867459897ff387f82d6a455dfd5fe07628c5e6fe1c580be13bf91175be95d1718d3adca209d48675467144120db98a4c6c1e4a1fbd5752c5ab2fb8dff3397d7
-
Filesize
1.5MB
MD52556349aef9980fe25f824b62b9c2d9f
SHA1594011c2f3d3b7192cc5e0960fbd9c564a9c2683
SHA256a961d667662114d851a4cdf6e16a5b51e9c5f4ca477b2c759ce47af1ffdb1ae9
SHA5123e32a099f11033da72ca033c63a0b43855fbeb00822cb11732b7b6652e81d60e851c4471cd024970c11e6fb148b824156cb59bedefe76b4652a72b4a61965785
-
Filesize
1.8MB
MD50fe4a7171b1b0e8b0a5cf7d713a146ec
SHA105810e3892f5082a08328354c1382db68a66ed19
SHA256351adab79adcb22799734719c874fc29b57c240dba7d6e4b80703558e16a5f87
SHA51226c517fbbf2810d7a31dd9760609988e65ba7957ba7a8277c0f164e5bde58c2a2ca85821b9c9b25a0d5c659ee10377df1fbd60fb2fc9a513b40ee1247d9faf59