Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
-
Size
2.6MB
-
MD5
f93c642af9f7a792ad4003e2dac40310
-
SHA1
4367c57bede3f3f658630b1979a1cac5e4d4a1ce
-
SHA256
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ff
-
SHA512
a4a33d8a281835e0fdcd8fed01b0a3397d3e217cb972b23d0902f4a0095ab061c73d7203c3dccda3832605cfbcc3a0ef7a6a91e59dca1891a8e961ee40b07177
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpmbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe -
Executes dropped EXE 2 IoCs
pid Process 4252 sysdevbod.exe 4112 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTL\\devoptiloc.exe" f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHV\\dobdevec.exe" f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe 4252 sysdevbod.exe 4252 sysdevbod.exe 4112 devoptiloc.exe 4112 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4252 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 87 PID 3148 wrote to memory of 4252 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 87 PID 3148 wrote to memory of 4252 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 87 PID 3148 wrote to memory of 4112 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 88 PID 3148 wrote to memory of 4112 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 88 PID 3148 wrote to memory of 4112 3148 f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4252
-
-
C:\SysDrvTL\devoptiloc.exeC:\SysDrvTL\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53fd4c3dbbcba724f05f38d3192563496
SHA18964c6091f5f5e451169caa7a8244f4233c51068
SHA25639ad0278d6b15d0b4c77cb002f8410c0ec707f351cce5ec260008e0d2125efc8
SHA51244225384427f4655fe5cfd58c52bece792d6ae2e1c023f5202183f2d2ad4cf973f89d47cd84c6d3911c674be849b733e0fb11d8c8f3dce64d46d166b33f67722
-
Filesize
2.6MB
MD5569ebc9db4bfc247870badce5302fe52
SHA1bb4c098d1c135d694d378e48bc0832a24a3c6571
SHA2565859bf38bc478e447885c029f6d7c6ec5f1b08dda0bfe03d4f71d9e1f054b7f1
SHA5125ff2865e22f04773e350b56ec7c5a5c0591f884501284e6150da0b11ef2c47c50f0a9a64a433c19773fa84a75e9d12e8b2f78cf8de430ca5276806d7189b8eff
-
Filesize
2.6MB
MD583ee5b915c241317909f9abf1c9b51f2
SHA1d2b56ae66eab05480ca753329f372c6d1cdac3de
SHA256555052993bb40114ce46e1cdfacfc6293bde1115d44182fb9a2a1ca48925c631
SHA5123dc189129d816d5b56631150abc376cc2e1b1f95aa236e34de8c029cfd9ae18025a34e766a0230efeb81dde2093734d19385ec71711dcca86e3627a1b91f15bc
-
Filesize
208B
MD520be682eaf1079762e5994180acbd9e5
SHA1b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5
SHA256b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515
SHA5120d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10
-
Filesize
176B
MD57f30ac06e8bec73fd277f605c2d19c9b
SHA170249f190dc1ff24a3d0ea1823756ff8d21b4fb7
SHA2567ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a
SHA51211d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1
-
Filesize
2.6MB
MD56151b63351e789812ebe21ca2083af69
SHA13cfa92d064c9492ab2c07a09d741b3ad10e2fbd9
SHA256e6fda5cf79b9e2a81767584668eee0afb8ce65b5b340beb7fca94e244784c9b9
SHA51201e2d54b0e9a3ab658ab4e08994ae086076bcfe3de48ebb3453d5ada2edb8dd50877a8108a05961ed559fc20fde651c0b108b4d9f0c6f2bb67d68f41a2b5bc3f