Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b83d16ceb4c4f2370ab149a03b9fd30N.exe
Resource
win10v2004-20240802-en
General
-
Target
5b83d16ceb4c4f2370ab149a03b9fd30N.exe
-
Size
2.6MB
-
MD5
5b83d16ceb4c4f2370ab149a03b9fd30
-
SHA1
cee1c2bd9cad74586ba6361056b601b64c007853
-
SHA256
96a85e08e98db6fcb940eca6b695bd9a41bcfcdd0d620b31de4a8f35d22ae0c4
-
SHA512
3cc10d8be306e9ff9bd000994b889b4fa1e01c3df4f3d273445501fe7e11733df5c1fc02eb4ec4f6e1e2547d5c3db143053471ddf60866b9eeaa2254cbedda0d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpEb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 5b83d16ceb4c4f2370ab149a03b9fd30N.exe -
Executes dropped EXE 2 IoCs
pid Process 2268 sysdevbod.exe 3048 xdobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGV\\xdobsys.exe" 5b83d16ceb4c4f2370ab149a03b9fd30N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVQ\\bodaloc.exe" 5b83d16ceb4c4f2370ab149a03b9fd30N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b83d16ceb4c4f2370ab149a03b9fd30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe 2268 sysdevbod.exe 2268 sysdevbod.exe 3048 xdobsys.exe 3048 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2268 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 86 PID 2156 wrote to memory of 2268 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 86 PID 2156 wrote to memory of 2268 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 86 PID 2156 wrote to memory of 3048 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 87 PID 2156 wrote to memory of 3048 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 87 PID 2156 wrote to memory of 3048 2156 5b83d16ceb4c4f2370ab149a03b9fd30N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe"C:\Users\Admin\AppData\Local\Temp\5b83d16ceb4c4f2370ab149a03b9fd30N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\UserDotGV\xdobsys.exeC:\UserDotGV\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
667KB
MD54bc1f5a18db684207bcd35483a87b961
SHA1fce4698088a123f9fe5487f6c0243056fb8b9bea
SHA25628d0cb9c5688d39c278c99f08520c52c888632f351449303a9e8bb6c6d7be5c7
SHA5124603ab6429c48ebc417e948ac191f6bdd2f32c221140c67f7922b8bf18d83ee562affffe7f783d19286816e1aef0a0951424f9b1fb6c02dc11d0386cd9d04245
-
Filesize
1.5MB
MD56d35b83c8e00c7b1b6b66079ecb3ed3c
SHA1673f4ac0a3ea69b3323c68db419e4a19f29cb9c9
SHA256333e8f22689c53ee1e3fb93425fe71e16037e5bc39c931662af9594216e57b21
SHA512d100537a2f26ecbd0eb6aa763ede0e024032803d0d7265c4e5803eda3c5620bcdc1a11d7772eb5ddc0af45a39f3810ea834504510c69c75fd2663fbbf5cd097b
-
Filesize
2.6MB
MD57b15d24c6a2cd46333641e6515575c62
SHA1e2e32fd59cd889af9391abe80c38b6b7a2116e7b
SHA256ca48ba24684b0ea4221ee8601f12f598401e74709076f7b7d6c2c9383dee0c65
SHA512320a628b5143622dba013ace4371be8e57b0013aa6ddcbaa63efdda8c40d9f45bd5136710361f6da885096a3c78eb62b1d87519a1826df11cebd647bfce68998
-
Filesize
204B
MD5b0b8b50401b43e4bffd89071f27fc90b
SHA1fc08628d095a831b3f98125a19e03f39d891d019
SHA256bf6362b7681e1c9ce5dc86c108a1d320c0adb308de836c86fd943b204b4ad66a
SHA51290f3458abdf24bc847406013c102705b7c68102ae40caf41d6547a31388e177434ddb853bacc51be64c502fbb679caceb2e78cd10dea928fc63e6dfffdbfa4cb
-
Filesize
172B
MD5247a5e2ccb2b9b85a558fd7f485ca7cc
SHA11c66e45c566d42ae473857caab96a4ee26fa3d23
SHA2565a0029392591cf4589c682370ada10d7893558845beb4fa29c56262330d7d9f3
SHA5121887ee1b5af7c31561f5d2cae5a7e0721d9420956c0cd49189bb9d08f7d817029a4369d790350a61601f70317629734c4b46376d37d689a1d3cb4020f8b4853f
-
Filesize
2.6MB
MD5dfe36def3a0da18951b43a1e23ea8c77
SHA1b8d01b4eeed0d8f5f60c9c20d3f85666ed555b16
SHA25673ec0c1fbf6abf1ab2524189a83e801e62b38b38ab4079426f53b9865e10c2b1
SHA5121de5d8c0e5279372bc8e0cc3cef312c17ae03ff2b4424581ce43c0cacf1c77c678e55df2986c400e41462b5214d4cdec60725d1d6e52b314259779577bde4856