Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Resource
win10v2004-20240802-en
General
-
Target
063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
-
Size
2.6MB
-
MD5
1f26bccdd30ec8c624318e3c1427e480
-
SHA1
b9b59d0257e3d499b4d78b5dcfe0e7765f13edff
-
SHA256
063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f
-
SHA512
7589b98728a52a6c52c20d915d4fcfbc7b416e9fd20a8c1c04f2e05eecc109a4f6af089f1f2e485070128e2b4aa2cd6df2cb5193031fafc4f26ecbcac3b39c50
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUp1b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2752 locdevbod.exe 2144 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8B\\boddevsys.exe" 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6Z\\xdobec.exe" 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe 2752 locdevbod.exe 2144 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2752 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 30 PID 2756 wrote to memory of 2752 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 30 PID 2756 wrote to memory of 2752 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 30 PID 2756 wrote to memory of 2752 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 30 PID 2756 wrote to memory of 2144 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 31 PID 2756 wrote to memory of 2144 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 31 PID 2756 wrote to memory of 2144 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 31 PID 2756 wrote to memory of 2144 2756 063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe"C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\UserDot6Z\xdobec.exeC:\UserDot6Z\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55add1a988d7ea07ba75ccb5342882c40
SHA1bf62ed652875f80dca9c9ad0f40aa6baa0e8c856
SHA2560a881e2ed05d5ed33524bb7492f7d045dfea15f528fd8e1798c6c9e6f035afa6
SHA5123d5302bbc87aae9d93dceb531eefaf270f122ea2b5c8399a1f9e403a8acaf5733ce3f1352e3a8235a8562b8de7206049465e568538af8db4979c21734486d4b4
-
Filesize
172B
MD557d4c09e24c14e2965240bef58894522
SHA16aaafec172f223558c162d51b29b16347589acda
SHA256f99c11a67546b85bb0012a62325da16e1ac6f9563baff40a169021a9adad238a
SHA512ae059a1bebbd3138f7a98603cd10442dd88c8a8df16e37c5ba8f619d2029c26a1c43afc71d134a1270cd0fec64ff93bb1886da86874c97d6bebfbd607ff1ed0f
-
Filesize
204B
MD5aed741c5108d34d07f9e76200d41441b
SHA1183447cf87db40d78b60b3731cb113456e83e0bc
SHA2563d745e8495ac7486ffdf5a9c354534524915ef9cc5d6ad5036a627b953152bdd
SHA5126dae395dffbc8aab69e21a0909e2bd92b06fc9b709e32d641b3ced81ad5db0152ef12cddfaee697725ac20d06cd952d940f1f7bb5426b01fe3e6eb222d690625
-
Filesize
2.6MB
MD5413dc7f7f99915c2a91c96a866125899
SHA16e082d5fbac9ba8b3a753243f4959b0ef6422bc2
SHA2568051c2d623246aedebe300705a28739614ed0d1a848092744ecc43cf7c57fecf
SHA5120e79a1e3ebd7be903e5986897365a39e70c001f5277e03fd8d610899d9a12bb1578663fa9346b9ae25bfe2315d4c203b0375a522a8a27434b284d5dae49eb992
-
Filesize
57KB
MD5a54d72e8045190fcd1a7c29fae94a21c
SHA1f2ea661cc3cf0731a34224f5856fb93924eb24b2
SHA2560b20c762da9a21258c1c72f455e159b8dace732893ef98e5aa50977354b417f2
SHA512695ebd676bd1ca7122544e8b8deb2955ca2b1188a1354b07706a7fc0b7a83480ec3d0f69b58b9d585933a9b10fc174c22ef9f24672c820f5088fa4a114a0c123
-
Filesize
2.6MB
MD596c507884e3db640ee26573c80ccc1f7
SHA1f90a35992bec80a5b43fd32eaa5d96ab4d68ab3b
SHA2563a0de699e0a690c92ed4f987abae145897cef1bfef1da9cd8daf9ded531f75f7
SHA5128b63bfef58cfc6174000c6667638bc7cd56405c1b4e5dfb3bcdceb3dc76f48c38efdbc7086e727b2b8120ed4340ff61bf697a7701169ab9898dd111148658678