Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 23:32

General

  • Target

    5b83d16ceb4c4f2370ab149a03b9fd30N.exe

  • Size

    2.6MB

  • MD5

    5b83d16ceb4c4f2370ab149a03b9fd30

  • SHA1

    cee1c2bd9cad74586ba6361056b601b64c007853

  • SHA256

    96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4

  • SHA512

    3cc10d8be306e9ff9bd000994b889b4fa1e01c3df4f3d273445501fe7e11733df5c1fc02eb4ec4f6e1e2547d5c3db143053471ddf60866b9eeaa2254cbedda0d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpEb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe
    "C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2268
    • C:\UserDotGV\xdobsys.exe
      C:\UserDotGV\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBVQ\bodaloc.exe

    Filesize

    667KB

    MD5

    4bc1f5a18db684207bcd35483a87b961

    SHA1

    fce4698088a123f9fe5487f6c0243056fb8b9bea

    SHA256

    28d0cb9c5688d39c278c99f08520c52c888632f351449303a9e8bb6c6d7be5c7

    SHA512

    4603ab6429c48ebc417e948ac191f6bdd2f32c221140c67f7922b8bf18d83ee562affffe7f783d19286816e1aef0a0951424f9b1fb6c02dc11d0386cd9d04245

  • C:\KaVBVQ\bodaloc.exe

    Filesize

    1.5MB

    MD5

    6d35b83c8e00c7b1b6b66079ecb3ed3c

    SHA1

    673f4ac0a3ea69b3323c68db419e4a19f29cb9c9

    SHA256

    333e8f22689c53ee1e3fb93425fe71e16037e5bc39c931662af9594216e57b21

    SHA512

    d100537a2f26ecbd0eb6aa763ede0e024032803d0d7265c4e5803eda3c5620bcdc1a11d7772eb5ddc0af45a39f3810ea834504510c69c75fd2663fbbf5cd097b

  • C:\UserDotGV\xdobsys.exe

    Filesize

    2.6MB

    MD5

    7b15d24c6a2cd46333641e6515575c62

    SHA1

    e2e32fd59cd889af9391abe80c38b6b7a2116e7b

    SHA256

    ca48ba24684b0ea4221ee8601f12f598401e74709076f7b7d6c2c9383dee0c65

    SHA512

    320a628b5143622dba013ace4371be8e57b0013aa6ddcbaa63efdda8c40d9f45bd5136710361f6da885096a3c78eb62b1d87519a1826df11cebd647bfce68998

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    b0b8b50401b43e4bffd89071f27fc90b

    SHA1

    fc08628d095a831b3f98125a19e03f39d891d019

    SHA256

    bf6362b7681e1c9ce5dc86c108a1d320c0adb308de836c86fd943b204b4ad66a

    SHA512

    90f3458abdf24bc847406013c102705b7c68102ae40caf41d6547a31388e177434ddb853bacc51be64c502fbb679caceb2e78cd10dea928fc63e6dfffdbfa4cb

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    247a5e2ccb2b9b85a558fd7f485ca7cc

    SHA1

    1c66e45c566d42ae473857caab96a4ee26fa3d23

    SHA256

    5a0029392591cf4589c682370ada10d7893558845beb4fa29c56262330d7d9f3

    SHA512

    1887ee1b5af7c31561f5d2cae5a7e0721d9420956c0cd49189bb9d08f7d817029a4369d790350a61601f70317629734c4b46376d37d689a1d3cb4020f8b4853f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    dfe36def3a0da18951b43a1e23ea8c77

    SHA1

    b8d01b4eeed0d8f5f60c9c20d3f85666ed555b16

    SHA256

    73ec0c1fbf6abf1ab2524189a83e801e62b38b38ab4079426f53b9865e10c2b1

    SHA512

    1de5d8c0e5279372bc8e0cc3cef312c17ae03ff2b4424581ce43c0cacf1c77c678e55df2986c400e41462b5214d4cdec60725d1d6e52b314259779577bde4856