Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 19:46

General

  • Target

    548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe

  • Size

    2.6MB

  • MD5

    becef067a84724f23bd4d4697203c4d0

  • SHA1

    ceae1f1da1519238f2939c87d757ae4bec2973eb

  • SHA256

    548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36

  • SHA512

    b15e65f7561759f74169e4d59058e22453db2094e7d63f8a0318f146eb378ab5f5c10626c52db5bf66f0fbba0f0ec2f0804b6fc131eea3b00d290ae3620100c9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
    "C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3808
    • C:\AdobeSJ\xdobloc.exe
      C:\AdobeSJ\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeSJ\xdobloc.exe

    Filesize

    2.2MB

    MD5

    89fd63f3e83fb83a86ed3ce9e432e0e7

    SHA1

    718fc2265f70f12f71eb9162f7d696f91702c19a

    SHA256

    102db907790418332acec78e660fcec8ec0d3e00ee12e549c5a267b9d5676586

    SHA512

    07bf432c9ac8825c2bc0867c2010a78488309acffb06e1d18edf2254729a63aed56aba86714ea0da82fb66949eb3bcea53070d2c3da676b549cd5ffeb0727c23

  • C:\AdobeSJ\xdobloc.exe

    Filesize

    2.6MB

    MD5

    c61e1a8acf36fc639be5303c0e88ede0

    SHA1

    615bfd1e886a8fb7cad7ed7887625a1827f293c8

    SHA256

    64921d4f4ac23ea66f1b9d2fe585cfa5ace222956dd4f79e2d9cc137e9fd4c17

    SHA512

    8b4e596bf45a62525fe7cb1714a5e17b75a60628203382978cec9351df3dabdbfe6efd24633e6d36e08b9d5f1d99be089b4d8d4104367e4de09aba09797b45c5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    65960cdebf79fab570aad713dd7951bc

    SHA1

    f4dd8bdff6a80fe31b2c753ba5049ff2cca76438

    SHA256

    311c7aaf8d9c7b4346f4c6c633cc08a3fd3497fe9d367847d9368d0079951793

    SHA512

    4a460a05c22b79691a99cdbe51e510f1c5d8993c7dbf0b7a6dd698a88641e0d577bffe5e8a95c95e001da26eec09d55a9e1cb23889037997b14e45f3cdc8c7ec

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    167B

    MD5

    bd80b9e53dc3d8343e9a31eefd264de4

    SHA1

    c92db944b0cf221cbc12206fd6e6895c57aeca29

    SHA256

    0720819a0cd3f72e64de35993c8dc2b00d417fd35b20d21307dc288f1bf96b7a

    SHA512

    4b2f5da458dc4ab77b04488b4cdfcfef2dcd9b1d1ec20a9395f61be6398564b67f0e2e57b16b8f71432368b64a301ca992922dbd07bacb46d68baf5a2c8f3864

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    04e00e4e21fed7d22f545cbba639d1b7

    SHA1

    92993faa3fa1ba1470a9b0741f547b0fa7dcb935

    SHA256

    41fc6da69c65f110fbe4887149a1467bc0fbe4e203f749b92a2780e1e6ef7bbf

    SHA512

    c3f115a935bd3b0a936d3430b33cfca8299a3da3c2c2e0e65700ed5c6f40e1b01aa9f210cbc571b8601593b583ad0f408767ac63a6e2a29a7af1563c3bc257a0

  • C:\Vid3D\optixec.exe

    Filesize

    7KB

    MD5

    ec404dc607a7bce365c371372c732d22

    SHA1

    4d3414b75d79d8d911c3947e95add02806762e93

    SHA256

    8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2

    SHA512

    25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a

  • C:\Vid3D\optixec.exe

    Filesize

    18KB

    MD5

    f3611b180f53e7b766446f16c0eb47e8

    SHA1

    b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

    SHA256

    da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

    SHA512

    80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1