Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
Resource
win10v2004-20241007-en
General
-
Target
b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
-
Size
2.6MB
-
MD5
25b4f1a8eb7daa211729244ec61caf80
-
SHA1
e8c87ec86254a51e0e6ac2073ad96ef7f19661d2
-
SHA256
b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31
-
SHA512
2332d2ef2c251dc2930634e3b71d4e544d4669d7946d29e0af5ac8500a6ff1922f1680cd326d7df773162f24f0cbcf5ec36870693a85603e16777d214be2d658
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUplbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe -
Executes dropped EXE 2 IoCs
pid Process 1388 locdevbod.exe 4604 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe76\\devbodec.exe" b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6P\\dobaloc.exe" b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe 1388 locdevbod.exe 1388 locdevbod.exe 4604 devbodec.exe 4604 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1388 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 88 PID 2524 wrote to memory of 1388 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 88 PID 2524 wrote to memory of 1388 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 88 PID 2524 wrote to memory of 4604 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 89 PID 2524 wrote to memory of 4604 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 89 PID 2524 wrote to memory of 4604 2524 b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe"C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
-
C:\Adobe76\devbodec.exeC:\Adobe76\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fe97d471b3431cead4a7ea0eae2f8568
SHA199da81e0c43ee8dbf7b6011be92223ba48d321fa
SHA2569f2165eadf855180b2fa8dfcba81bd996c2137fb88d69c3de3a0d7c873a49f4f
SHA512c8d41f23be444b804f1ac7ceadd203077e79a7226ea6c836b1732ab7b8469abd0c67e9aaf45d74dbec8a2b447c5f4bc57eb53625a2c1cf4c8e1a2b436ff4319f
-
Filesize
520KB
MD5e2611b3ec5f09559371a14c5e3acbf3f
SHA19d0f01a48f7eb2ae9646dda705e450897cdb0699
SHA256878f66d0a8edfbc16035b008a4eb29d2b93932a4eb4ebb2c4532f9dc95d99c85
SHA512c756b70a23c5cb1abfe37e7f1a103aabaa00c7fe7c91afcb984c34e5174a965bddb2652900dd378e1bc86c1f75f123fa69156494a2f3fc087eda0802d218cf12
-
Filesize
256B
MD5bae5eb085a9f023b8d36e2a083933bdd
SHA1c8f3b383d6ce74e8606027a03db4b0ae08c513b1
SHA256b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab
SHA51293d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3
-
Filesize
203B
MD57925f699ae729518098d0c7c2908b134
SHA1b61a2716619c478b31319e3b8a85a27a972e5348
SHA25685e3e9b027863e60bad5d423375dc0f14f5b1503098e5effb1074b9e68b7e79c
SHA512b716841d44882086d40a9303656b8743f3885e018d75c2008ca90b3dc8eeeb14653d8612eb0d1357df9b61da36e6494ab547ff6500303ebc25858fcb2173a0bd
-
Filesize
171B
MD576bbf63e5abea4545e7fe84f2aabb19e
SHA1b66095a001730b43e7c7269939b126ffa9fc8629
SHA256af80af06ca966672a364148390dd7c26f4d63dee1395d56238da34a6cd720f5b
SHA512f2c49341014427dce871daf45976a6dc55212ae267ec87b8f16e3d673dc0b68c00832d96e08a4b50fe23f892d6882202ee7820055375e474a52abb61d3fd5e68
-
Filesize
2.6MB
MD5f9007f999c51a1016c37e24d8e9a9a16
SHA118a6fdb3db1c96f66a848bbffc989e44a387a684
SHA25629b77b47598f4b6db2d4775ab294a5c7926bcb316f8c1dbd622e105a53c45f66
SHA5122463938d3837ca6d89263b53e8b9d4bb807de6a80baf725d583fec2c94cb195000ded11bb81421f413a220e2ad2072affeb4ebfd5267b400efbd9dac6239cab7