Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 00:24

General

  • Target

    a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

  • Size

    3.1MB

  • MD5

    7721667d876a9fe1a5f9bd5ee6342df1

  • SHA1

    c84f9363a8269d588a0da33557b5cb144b4eb5e7

  • SHA256

    a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe

  • SHA512

    c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
    "C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\Adobe7N\devoptiec.exe
      C:\Adobe7N\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe7N\devoptiec.exe

    Filesize

    3.1MB

    MD5

    f7266427e140815c936f70a6620f5333

    SHA1

    814af187044bfadaa44c1cb05e18b972051a3b11

    SHA256

    d57c08cf47fdcd784c5e0bc7621b249e705373182974487f819e663056a07f17

    SHA512

    bdd891da73d269c1a6c237d1a94caf00657ded53d104a6d1e66dc6236b82cbb9d2b7828c5903e58c32f6dfc86e451973f177d12f70f98120896a93efb0572158

  • C:\MintB5\boddevloc.exe

    Filesize

    2.6MB

    MD5

    f438c123d330d85ef91a9a4cc6b9fe6f

    SHA1

    83072fdd3171fbea99c6f0ef4cf147209b41474f

    SHA256

    93e00f87b8cde7d41bde53df279a31ce66ba9e1af9bd3cdd51ac6a8d9d41c59f

    SHA512

    783b711bf110fea595edf34ea2237c6846f4900f6a4aba244f344ced87abeb9cf9fd09f208db87cd0bb02db72836d5176d6a0cd0abb720b5b171a8a20a8a253b

  • C:\MintB5\boddevloc.exe

    Filesize

    490KB

    MD5

    fb5311422811def5e79be3e520a6f083

    SHA1

    067b5ed58c4859b0f3b69ad711248ed52581e1c5

    SHA256

    c8e8e8a7f0581b69b48e85889ade33ee2755d6642e3cc210e656ffaf71a44b21

    SHA512

    c74a000c137e2fca26b590b28b49bd4675c5e71569b4f9b38948e5e086d7c51039dffd9d1e7ebb5a3ee745cf4df8c257c826cfadfbb691656509a8bcc50ce562

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    7fc68bd738e328a9da929787fc496cea

    SHA1

    831d901eab7d60e835774f5d9e39b5347d76850a

    SHA256

    64635bb9554859413199babda6c49f6fdaaaa15e34de8ef24110cd754547c773

    SHA512

    37dde0af530d5b3455477881d8519df98795b54a91f5a76ba633da2f77b7746ee77073053f2581285fc93d13883a917eeaf5e820ca9354b10863d67287b9bd3c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    dbd4c8d333a1ba85ae526079631f4a90

    SHA1

    864e0e7252029a2ef65c668679ae51ce61b03445

    SHA256

    a610a0dfea223ad15d1a7a633c37a209586491371b9e34f3fc50410db87ab12e

    SHA512

    a9ad673fa86891a912825e0c01ee798c8dfafcc598582becba0756e49ea20dd939303b050be96b0c36ceb067984c1a8bdc7364649fcb04bedb49ee42bee42c45

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    3.1MB

    MD5

    e84fed5585be4ce71c068d564fa32704

    SHA1

    8fad870191d68b9b4f59fc522c9d3b0505fb2536

    SHA256

    b33d3bb42e8451c4960bbde1e5f02246084f3b640f3662b1f192969e896a2d9c

    SHA512

    0bcc9420edf8f2fa860c4a45d1329cdb1f093f3bbb887149439d03cc4f7128c8b57a6b9b8d36662251155bfc0d9fa25281fd03c41208f1ebc4e376330ea383b1