Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

fdc3b4f2b1...0N.exe

windows7-x64

9

fdc3b4f2b1...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc3b4f2b1652a2c42bddbc6e4bee990N.exe

  • Size

    2.6MB

  • MD5

    fdc3b4f2b1652a2c42bddbc6e4bee990

  • SHA1

    62d4e19aa1b8384f1eaa7bdeb7fe42e3be5e15ec

  • SHA256

    aa4562b293c9126d076d83723b89798e695f9423a4eeba10d4c90a92020c9542

  • SHA512

    be2cd7d53fb09ab9e8ae34584329efdcb986822559e54ac8433e8ddcb1eb5498cafae6d87c8e7be3f50b79db367bfbb0981cfbc4b3d067b10e98de9b7cb77f42

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUprb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
    "C:\Users\Admin\AppData\Local\Temp\fdc3b4f2b1652a2c42bddbc6e4bee990N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3572
    • C:\UserDot8W\adobec.exe
      C:\UserDot8W\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint5J\dobaloc.exe
    Filesize

    2.6MB

    MD5

    71fa1b1b83039420ec71997b78bec375

    SHA1

    b5bd6950f3cca256218baa7aee93f3fbf4b8d175

    SHA256

    f240a7b47c88766d0be766956b40ef61275446488b88d7bda175fb55a912b3d6

    SHA512

    19d96bde8942123514268a1ab2e2013470dbe0cfc83a3851f03decc9acdbee50c60e987342c3d98d1cd4d12fdedd0f6bd185332d32de69e591e86ca5c0339495

    Download Submit

  • C:\Mint5J\dobaloc.exe
    Filesize

    2.6MB

    MD5

    b404bbb485b34f2af8cfb5c4f6d5bdfa

    SHA1

    6774a54c4416b07237982f6e0d67b1f6ebf06ebe

    SHA256

    c7079ff426dc2df618ea6ecf341887d9ff7c1b470b872a77da90e0ab2acc4665

    SHA512

    3ce4dfdcd83f8925fe821b5b38c0dfe31d3312bf4a759d213151c289300b541bcb3b99fde7adf3876bc8da2827385cdc23ae8e7035cad4522a421f35dc17b14b

    Download Submit

  • C:\UserDot8W\adobec.exe
    Filesize

    2.6MB

    MD5

    deb56d847fe8f0c2febb9a20286b8a2f

    SHA1

    3129ed462bd79c279012ae39fcff3c70df3c61fe

    SHA256

    a90e46b23b8b9c89ec75911577f6785e42a55440f53bfbbd9b68504e90f37d58

    SHA512

    be1551919c57a4ad20f811e4eb12603bc51fa6ce41eea03c5c323069f98e120b7cdc9a4f6ec9e2ae2a2deff2e7afa763f92cdd2f69a33eaca2c83c35b4222695

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    202B

    MD5

    358deabf49bb2c44d24769613d132286

    SHA1

    e7c6ec753248315f1a8a403e5381f71839ea9936

    SHA256

    35024aa6f4343c663af97830f4e48df1af54b59ff15cb7cc1a3bc3dc5ffb088d

    SHA512

    511c1e4170f7c890f9c7036766a5f4472be7c9b2078f654eb83a130607467391c30e473adee8cfea691a660bd62fd2cf096ecd762a82f160409f91e67d6868b3

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    170B

    MD5

    44ac20a7df9e8c1bb9bc2d98b55519d1

    SHA1

    f40216913f1f34f76b4cbf77cc308616dc4a74ba

    SHA256

    42f1f4ac1e28bde2d5f290b3b258a5eef26de5c4e08ff43a759cb4db58a85b88

    SHA512

    0e0db648f3df5f182ba3a0dfce23ccb2b313b1946638f6aaaacbdd85426895237fe4cd7722eef58e626c67b95dccf17c4369015f1ac5cdea59214f8bfd8f7b3b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
    Filesize

    2.6MB

    MD5

    825d5efe07f7d1cc8e439b1b22e03d30

    SHA1

    87576163ddcb6a6b3fd4f13c3fd81790f9b6e60d

    SHA256

    e0f6ded9c7245c8e23c68296e77f4fb32b36422a667d269a566c1bbd25347e9b

    SHA512

    f86d056c67771a85842c6c9c48734fadd9de33abded375f1438a512a773dd7e7fae21401b9e412a3b1498344ecc73b3f01809527f01166505b0d7cbfa192e78b

    Download Submit