Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:27

General

  • Target

    f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe

  • Size

    2.6MB

  • MD5

    f93c642af9f7a792ad4003e2dac40310

  • SHA1

    4367c57bede3f3f658630b1979a1cac5e4d4a1ce

  • SHA256

    f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ff

  • SHA512

    a4a33d8a281835e0fdcd8fed01b0a3397d3e217cb972b23d0902f4a0095ab061c73d7203c3dccda3832605cfbcc3a0ef7a6a91e59dca1891a8e961ee40b07177

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpmbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4252
    • C:\SysDrvTL\devoptiloc.exe
      C:\SysDrvTL\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxHV\dobdevec.exe

    Filesize

    2.6MB

    MD5

    3fd4c3dbbcba724f05f38d3192563496

    SHA1

    8964c6091f5f5e451169caa7a8244f4233c51068

    SHA256

    39ad0278d6b15d0b4c77cb002f8410c0ec707f351cce5ec260008e0d2125efc8

    SHA512

    44225384427f4655fe5cfd58c52bece792d6ae2e1c023f5202183f2d2ad4cf973f89d47cd84c6d3911c674be849b733e0fb11d8c8f3dce64d46d166b33f67722

  • C:\GalaxHV\dobdevec.exe

    Filesize

    2.6MB

    MD5

    569ebc9db4bfc247870badce5302fe52

    SHA1

    bb4c098d1c135d694d378e48bc0832a24a3c6571

    SHA256

    5859bf38bc478e447885c029f6d7c6ec5f1b08dda0bfe03d4f71d9e1f054b7f1

    SHA512

    5ff2865e22f04773e350b56ec7c5a5c0591f884501284e6150da0b11ef2c47c50f0a9a64a433c19773fa84a75e9d12e8b2f78cf8de430ca5276806d7189b8eff

  • C:\SysDrvTL\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    83ee5b915c241317909f9abf1c9b51f2

    SHA1

    d2b56ae66eab05480ca753329f372c6d1cdac3de

    SHA256

    555052993bb40114ce46e1cdfacfc6293bde1115d44182fb9a2a1ca48925c631

    SHA512

    3dc189129d816d5b56631150abc376cc2e1b1f95aa236e34de8c029cfd9ae18025a34e766a0230efeb81dde2093734d19385ec71711dcca86e3627a1b91f15bc

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    20be682eaf1079762e5994180acbd9e5

    SHA1

    b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5

    SHA256

    b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515

    SHA512

    0d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    7f30ac06e8bec73fd277f605c2d19c9b

    SHA1

    70249f190dc1ff24a3d0ea1823756ff8d21b4fb7

    SHA256

    7ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a

    SHA512

    11d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    6151b63351e789812ebe21ca2083af69

    SHA1

    3cfa92d064c9492ab2c07a09d741b3ad10e2fbd9

    SHA256

    e6fda5cf79b9e2a81767584668eee0afb8ce65b5b340beb7fca94e244784c9b9

    SHA512

    01e2d54b0e9a3ab658ab4e08994ae086076bcfe3de48ebb3453d5ada2edb8dd50877a8108a05961ed559fc20fde651c0b108b4d9f0c6f2bb67d68f41a2b5bc3f