Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 17:21

General

  • Target

    b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe

  • Size

    2.6MB

  • MD5

    25b4f1a8eb7daa211729244ec61caf80

  • SHA1

    e8c87ec86254a51e0e6ac2073ad96ef7f19661d2

  • SHA256

    b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31

  • SHA512

    2332d2ef2c251dc2930634e3b71d4e544d4669d7946d29e0af5ac8500a6ff1922f1680cd326d7df773162f24f0cbcf5ec36870693a85603e16777d214be2d658

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUplbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
    "C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1388
    • C:\Adobe76\devbodec.exe
      C:\Adobe76\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe76\devbodec.exe

    Filesize

    2.6MB

    MD5

    fe97d471b3431cead4a7ea0eae2f8568

    SHA1

    99da81e0c43ee8dbf7b6011be92223ba48d321fa

    SHA256

    9f2165eadf855180b2fa8dfcba81bd996c2137fb88d69c3de3a0d7c873a49f4f

    SHA512

    c8d41f23be444b804f1ac7ceadd203077e79a7226ea6c836b1732ab7b8469abd0c67e9aaf45d74dbec8a2b447c5f4bc57eb53625a2c1cf4c8e1a2b436ff4319f

  • C:\Mint6P\dobaloc.exe

    Filesize

    520KB

    MD5

    e2611b3ec5f09559371a14c5e3acbf3f

    SHA1

    9d0f01a48f7eb2ae9646dda705e450897cdb0699

    SHA256

    878f66d0a8edfbc16035b008a4eb29d2b93932a4eb4ebb2c4532f9dc95d99c85

    SHA512

    c756b70a23c5cb1abfe37e7f1a103aabaa00c7fe7c91afcb984c34e5174a965bddb2652900dd378e1bc86c1f75f123fa69156494a2f3fc087eda0802d218cf12

  • C:\Mint6P\dobaloc.exe

    Filesize

    256B

    MD5

    bae5eb085a9f023b8d36e2a083933bdd

    SHA1

    c8f3b383d6ce74e8606027a03db4b0ae08c513b1

    SHA256

    b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

    SHA512

    93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    7925f699ae729518098d0c7c2908b134

    SHA1

    b61a2716619c478b31319e3b8a85a27a972e5348

    SHA256

    85e3e9b027863e60bad5d423375dc0f14f5b1503098e5effb1074b9e68b7e79c

    SHA512

    b716841d44882086d40a9303656b8743f3885e018d75c2008ca90b3dc8eeeb14653d8612eb0d1357df9b61da36e6494ab547ff6500303ebc25858fcb2173a0bd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    76bbf63e5abea4545e7fe84f2aabb19e

    SHA1

    b66095a001730b43e7c7269939b126ffa9fc8629

    SHA256

    af80af06ca966672a364148390dd7c26f4d63dee1395d56238da34a6cd720f5b

    SHA512

    f2c49341014427dce871daf45976a6dc55212ae267ec87b8f16e3d673dc0b68c00832d96e08a4b50fe23f892d6882202ee7820055375e474a52abb61d3fd5e68

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    f9007f999c51a1016c37e24d8e9a9a16

    SHA1

    18a6fdb3db1c96f66a848bbffc989e44a387a684

    SHA256

    29b77b47598f4b6db2d4775ab294a5c7926bcb316f8c1dbd622e105a53c45f66

    SHA512

    2463938d3837ca6d89263b53e8b9d4bb807de6a80baf725d583fec2c94cb195000ded11bb81421f413a220e2ad2072affeb4ebfd5267b400efbd9dac6239cab7