Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Resource
win10v2004-20240802-en
General
-
Target
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
-
Size
3.1MB
-
MD5
7721667d876a9fe1a5f9bd5ee6342df1
-
SHA1
c84f9363a8269d588a0da33557b5cb144b4eb5e7
-
SHA256
a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe
-
SHA512
c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 locadob.exe 3536 devoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7N\\devoptiec.exe" a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB5\\boddevloc.exe" a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe 2548 locadob.exe 2548 locadob.exe 3536 devoptiec.exe 3536 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2548 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 87 PID 1368 wrote to memory of 2548 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 87 PID 1368 wrote to memory of 2548 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 87 PID 1368 wrote to memory of 3536 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 88 PID 1368 wrote to memory of 3536 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 88 PID 1368 wrote to memory of 3536 1368 a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\Adobe7N\devoptiec.exeC:\Adobe7N\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f7266427e140815c936f70a6620f5333
SHA1814af187044bfadaa44c1cb05e18b972051a3b11
SHA256d57c08cf47fdcd784c5e0bc7621b249e705373182974487f819e663056a07f17
SHA512bdd891da73d269c1a6c237d1a94caf00657ded53d104a6d1e66dc6236b82cbb9d2b7828c5903e58c32f6dfc86e451973f177d12f70f98120896a93efb0572158
-
Filesize
2.6MB
MD5f438c123d330d85ef91a9a4cc6b9fe6f
SHA183072fdd3171fbea99c6f0ef4cf147209b41474f
SHA25693e00f87b8cde7d41bde53df279a31ce66ba9e1af9bd3cdd51ac6a8d9d41c59f
SHA512783b711bf110fea595edf34ea2237c6846f4900f6a4aba244f344ced87abeb9cf9fd09f208db87cd0bb02db72836d5176d6a0cd0abb720b5b171a8a20a8a253b
-
Filesize
490KB
MD5fb5311422811def5e79be3e520a6f083
SHA1067b5ed58c4859b0f3b69ad711248ed52581e1c5
SHA256c8e8e8a7f0581b69b48e85889ade33ee2755d6642e3cc210e656ffaf71a44b21
SHA512c74a000c137e2fca26b590b28b49bd4675c5e71569b4f9b38948e5e086d7c51039dffd9d1e7ebb5a3ee745cf4df8c257c826cfadfbb691656509a8bcc50ce562
-
Filesize
204B
MD57fc68bd738e328a9da929787fc496cea
SHA1831d901eab7d60e835774f5d9e39b5347d76850a
SHA25664635bb9554859413199babda6c49f6fdaaaa15e34de8ef24110cd754547c773
SHA51237dde0af530d5b3455477881d8519df98795b54a91f5a76ba633da2f77b7746ee77073053f2581285fc93d13883a917eeaf5e820ca9354b10863d67287b9bd3c
-
Filesize
172B
MD5dbd4c8d333a1ba85ae526079631f4a90
SHA1864e0e7252029a2ef65c668679ae51ce61b03445
SHA256a610a0dfea223ad15d1a7a633c37a209586491371b9e34f3fc50410db87ab12e
SHA512a9ad673fa86891a912825e0c01ee798c8dfafcc598582becba0756e49ea20dd939303b050be96b0c36ceb067984c1a8bdc7364649fcb04bedb49ee42bee42c45
-
Filesize
3.1MB
MD5e84fed5585be4ce71c068d564fa32704
SHA18fad870191d68b9b4f59fc522c9d3b0505fb2536
SHA256b33d3bb42e8451c4960bbde1e5f02246084f3b640f3662b1f192969e896a2d9c
SHA5120bcc9420edf8f2fa860c4a45d1329cdb1f093f3bbb887149439d03cc4f7128c8b57a6b9b8d36662251155bfc0d9fa25281fd03c41208f1ebc4e376330ea383b1