Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 22:31

General

  • Target

    467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe

  • Size

    2.6MB

  • MD5

    d73dbc077f643acecf9182e2d6ea0f00

  • SHA1

    2b0caeb79eeb5e4becb6cbea14d2e0868c6f288c

  • SHA256

    467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6

  • SHA512

    3cce366c4584ede5c2ee6c950c6f29912ccc1bdabf9d74d0ad6546dbb67216b3ee1b1cb7f914537e654e2d613068abc9609e8233c28e57e07daca35487ab0ad4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1516
    • C:\SysDrv13\xoptiec.exe
      C:\SysDrv13\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintF6\bodasys.exe

    Filesize

    2.6MB

    MD5

    7792755b0c295158a8a634fcacfabb2b

    SHA1

    75b38835ff0c1355ad163c21939b236c8ff19597

    SHA256

    9d986e67768b0ca49b7b69366a7395039e7aa73ac3335803eccf1ae64735809d

    SHA512

    445a850a47eb9e824d28a59a9b9c46cc4f1bd57b99255f34889f7c1bee70149afd255d181571c407f6bc014c7cd48cee350ae52c11dbb3aa5486c024913392ef

  • C:\MintF6\bodasys.exe

    Filesize

    1.2MB

    MD5

    08b2b25a0d9856d07efa87a8b5e81a47

    SHA1

    124b117daeeb90572e543b51b50d2cf19c9a1588

    SHA256

    b388f95b70ba9ca06497bd00b1544a00d543a173ffbf0ed72e36dbd754829836

    SHA512

    5935ca74fd68355fe180b5791864baf42d7a52f7332fd58d9964247d3fd6884f984b55f9e4f73a5fd1b0259e0ef6e32322e94a6a4417a345d9ffb5f8bbb86665

  • C:\SysDrv13\xoptiec.exe

    Filesize

    2.6MB

    MD5

    e479ea1bf6846711c90c63bfbd667726

    SHA1

    e6856d6bf6b604c67a9bf44ade70bfecb11df0ef

    SHA256

    d1a0f6cb915c8add16cf0d9359701c2dcf6d6734afb8405f610a872919113077

    SHA512

    a7ff5ac8485b6a4b0f16cca926bb1bf37e4e297e3237da3fff0b6fcde6204d722692a5ec850aa53d06411d554d0205681e593cc614e61b15bd7f6abc7f2e67bb

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    086faf0dcd1021213be470f97912604a

    SHA1

    1eeb32386f859e906c1f4af19aaff1bfc935bcc3

    SHA256

    e9d0677fa1f911ab21d68adab2a8804fe301f82a9fef657c9464041f8ae5b624

    SHA512

    a7bd37c568c704fb934b1bcb61ed5518f20249eb2f8d09d9df99ec416f056ef6e504fb20cc0db45cd901252c107574cc522ded8c3e14c115179b3dc66c0737b4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    b59076a632040feca385b9f50c2e0bf1

    SHA1

    e7d7d76c63349352297f787cdee6b765a2a2d489

    SHA256

    6d893b434aa2e4bd280760e2c3bca939a0900ca84caddfa3325d39759dffb4c6

    SHA512

    ed434da2233d44a3b24cdf87d372032a731eaf192d35cb60ca525bbdcbfae04df03aa2976d9a2ded349c4beba02147abcdee0309cd0d66e3c040ed8288b22887

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    eed531c14c2e39c8a28091946e4f80e0

    SHA1

    abfc9d685ba6ee764bc4f3dd090303cf3e0853d5

    SHA256

    178ab44ba7f7af702056ee7a02524cef1a8a49cf24e951efc10441c5a2d95544

    SHA512

    ca3c9c3279337c8106b9863048b10978d11dac5ff4be0476187df61a2569e2fbd426d18c179b849ca4ca06ceb47d6c4147515cd1740ddd4963cbb57579d4a944