Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
Resource
win10v2004-20240802-en
General
-
Target
548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
-
Size
2.6MB
-
MD5
becef067a84724f23bd4d4697203c4d0
-
SHA1
ceae1f1da1519238f2939c87d757ae4bec2973eb
-
SHA256
548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36
-
SHA512
b15e65f7561759f74169e4d59058e22453db2094e7d63f8a0318f146eb378ab5f5c10626c52db5bf66f0fbba0f0ec2f0804b6fc131eea3b00d290ae3620100c9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe -
Executes dropped EXE 2 IoCs
pid Process 3808 locadob.exe 3768 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSJ\\xdobloc.exe" 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3D\\optixec.exe" 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe 3808 locadob.exe 3808 locadob.exe 3768 xdobloc.exe 3768 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2188 wrote to memory of 3808 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 82 PID 2188 wrote to memory of 3808 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 82 PID 2188 wrote to memory of 3808 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 82 PID 2188 wrote to memory of 3768 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 83 PID 2188 wrote to memory of 3768 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 83 PID 2188 wrote to memory of 3768 2188 548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe"C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3808
-
-
C:\AdobeSJ\xdobloc.exeC:\AdobeSJ\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD589fd63f3e83fb83a86ed3ce9e432e0e7
SHA1718fc2265f70f12f71eb9162f7d696f91702c19a
SHA256102db907790418332acec78e660fcec8ec0d3e00ee12e549c5a267b9d5676586
SHA51207bf432c9ac8825c2bc0867c2010a78488309acffb06e1d18edf2254729a63aed56aba86714ea0da82fb66949eb3bcea53070d2c3da676b549cd5ffeb0727c23
-
Filesize
2.6MB
MD5c61e1a8acf36fc639be5303c0e88ede0
SHA1615bfd1e886a8fb7cad7ed7887625a1827f293c8
SHA25664921d4f4ac23ea66f1b9d2fe585cfa5ace222956dd4f79e2d9cc137e9fd4c17
SHA5128b4e596bf45a62525fe7cb1714a5e17b75a60628203382978cec9351df3dabdbfe6efd24633e6d36e08b9d5f1d99be089b4d8d4104367e4de09aba09797b45c5
-
Filesize
199B
MD565960cdebf79fab570aad713dd7951bc
SHA1f4dd8bdff6a80fe31b2c753ba5049ff2cca76438
SHA256311c7aaf8d9c7b4346f4c6c633cc08a3fd3497fe9d367847d9368d0079951793
SHA5124a460a05c22b79691a99cdbe51e510f1c5d8993c7dbf0b7a6dd698a88641e0d577bffe5e8a95c95e001da26eec09d55a9e1cb23889037997b14e45f3cdc8c7ec
-
Filesize
167B
MD5bd80b9e53dc3d8343e9a31eefd264de4
SHA1c92db944b0cf221cbc12206fd6e6895c57aeca29
SHA2560720819a0cd3f72e64de35993c8dc2b00d417fd35b20d21307dc288f1bf96b7a
SHA5124b2f5da458dc4ab77b04488b4cdfcfef2dcd9b1d1ec20a9395f61be6398564b67f0e2e57b16b8f71432368b64a301ca992922dbd07bacb46d68baf5a2c8f3864
-
Filesize
2.6MB
MD504e00e4e21fed7d22f545cbba639d1b7
SHA192993faa3fa1ba1470a9b0741f547b0fa7dcb935
SHA25641fc6da69c65f110fbe4887149a1467bc0fbe4e203f749b92a2780e1e6ef7bbf
SHA512c3f115a935bd3b0a936d3430b33cfca8299a3da3c2c2e0e65700ed5c6f40e1b01aa9f210cbc571b8601593b583ad0f408767ac63a6e2a29a7af1563c3bc257a0
-
Filesize
7KB
MD5ec404dc607a7bce365c371372c732d22
SHA14d3414b75d79d8d911c3947e95add02806762e93
SHA2568f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2
SHA51225f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a
-
Filesize
18KB
MD5f3611b180f53e7b766446f16c0eb47e8
SHA1b0a5575b4fca6d2ca1ebf68f998124b33189a5e8
SHA256da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f
SHA51280c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1