Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 22:05

General

  • Target

    5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

  • Size

    2.6MB

  • MD5

    cb8ad88571316a7c5db8c8bced8165cb

  • SHA1

    cbb62a447ee5ab176cd4799cee7b8903baece1ce

  • SHA256

    5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42

  • SHA512

    01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
    "C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1004
    • C:\SysDrvRS\devbodsys.exe
      C:\SysDrvRS\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1532
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
    1⤵
      PID:3736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\SysDrvRS\devbodsys.exe

      Filesize

      2.6MB

      MD5

      9059a2a2250d3944d4e7fcec54b2600a

      SHA1

      e13298c1ad23b8e4994e5cac29857e066aba0e02

      SHA256

      218e133821d66c2b425b938a3421ebde11a2e29b95951ef00f5ae09d19725d0c

      SHA512

      4f3f42db141bdd98b49e7677bdd7f9828adee147ce8d22ff473f17f39a37602fa91f9de60a19217b955d8eaf594c62fca49218fedc3775ebf77becc93840ec94

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      205B

      MD5

      0c5922993aa9a33066f983bb8505d048

      SHA1

      5b3ef775a3153774a835197374f01c3e66788466

      SHA256

      ff3eab90af51d5228e0d7278414d3828140a18ac3a9be0a478affb5f7c7ec016

      SHA512

      de6f27dabe775c705f3409207e945ffa3a15ac795f713a53dd6052b73d440117b938c5e7b78364ec3ee50fa2bb44b6af5bb3c26d5ae4971b7d4301f44abd314d

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      173B

      MD5

      b4d4c7c9f08655b62e74e7fb3f256cfd

      SHA1

      7ba7e1881900b636b1ccee36ecb43ef7ec7b21b4

      SHA256

      aa2f3e010ede160e8fefe26aabb87abaff44cd18eeb7a893faec3f19dfba26b5

      SHA512

      e3cf2bf1c0737c5b3d8ae949fc68507420815315feaefb855d12312b798409982d2c90db5a90789b4c03cac2e385ea74cf2897be49e1322fca433e6f510dcaf6

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

      Filesize

      2.6MB

      MD5

      c8894fc7f5b1338aa64d9eb0ab41626b

      SHA1

      57f172015e66048bc3e03cfe53455e93cc3be04e

      SHA256

      166c97bddb8630809321e582528d02108a669d2c35309400ba75bf25a6bfc574

      SHA512

      6867459897ff387f82d6a455dfd5fe07628c5e6fe1c580be13bf91175be95d1718d3adca209d48675467144120db98a4c6c1e4a1fbd5752c5ab2fb8dff3397d7

    • C:\Vid8T\optixloc.exe

      Filesize

      1.5MB

      MD5

      2556349aef9980fe25f824b62b9c2d9f

      SHA1

      594011c2f3d3b7192cc5e0960fbd9c564a9c2683

      SHA256

      a961d667662114d851a4cdf6e16a5b51e9c5f4ca477b2c759ce47af1ffdb1ae9

      SHA512

      3e32a099f11033da72ca033c63a0b43855fbeb00822cb11732b7b6652e81d60e851c4471cd024970c11e6fb148b824156cb59bedefe76b4652a72b4a61965785

    • C:\Vid8T\optixloc.exe

      Filesize

      1.8MB

      MD5

      0fe4a7171b1b0e8b0a5cf7d713a146ec

      SHA1

      05810e3892f5082a08328354c1382db68a66ed19

      SHA256

      351adab79adcb22799734719c874fc29b57c240dba7d6e4b80703558e16a5f87

      SHA512

      26c517fbbf2810d7a31dd9760609988e65ba7957ba7a8277c0f164e5bde58c2a2ca85821b9c9b25a0d5c659ee10377df1fbd60fb2fc9a513b40ee1247d9faf59