Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
Resource
win10v2004-20241007-en
General
-
Target
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
-
Size
2.6MB
-
MD5
a8e06e00a02d3af625f54ccc0436a880
-
SHA1
21fa0fd5b7de07759501a7f153fe4057b4f715f6
-
SHA256
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6
-
SHA512
c2c3aaed448e48740ca44c010cba4ab450970528e01b12769e9777c99ecfb24d03e13691f8205a40feaf2ebe8a73e472c41871cb4c3c643f634244c3c02004c9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2900 locdevbod.exe 2416 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKP\\xbodloc.exe" d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVM\\dobasys.exe" d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe 2900 locdevbod.exe 2900 locdevbod.exe 2416 xbodloc.exe 2416 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 844 wrote to memory of 2900 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 87 PID 844 wrote to memory of 2900 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 87 PID 844 wrote to memory of 2900 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 87 PID 844 wrote to memory of 2416 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 88 PID 844 wrote to memory of 2416 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 88 PID 844 wrote to memory of 2416 844 d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
C:\AdobeKP\xbodloc.exeC:\AdobeKP\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5394a81baa5c33277860d8efb5bbef6bb
SHA10ea2876ba93f5ff54fd6c9517fa6f74fde430cb7
SHA2561994c354dd141c1b3ee5740f50e7a99387e5d29284eaab3a3d413a0da367bf86
SHA512a2f1efdaf7c5caf81bc184fbcbff3283989e05fe9cbd70ba59808f734fbd4e66ec8116dcfc21773d7bb078ba537beb0bf01de478f0ed02299ea751e4d76f8766
-
Filesize
201B
MD50b668ada093c59ab54cb04e2d2156ab6
SHA17fd6240427ccf02c3c567ca56ccee3f6e2497c19
SHA256dabf9ea1e32488aa3e8e1d02b621d0a6ff2cad91401cb56d9da08b84237af27a
SHA51245391a00884125a1fd3cd9b748dfa09f0c42f8103fd1765ed3675231d92b180f51cc90343f6ff764b3c08e3ce60135f8c7d2cfc808e1fcb85f663639a275924c
-
Filesize
169B
MD575914ec5f28e1ffe8b0b6d6c7a12d09e
SHA1b99e14d4e4d9975a6b30311cdbea958ead71c336
SHA2560fc280959805515cde93c541dc36ed4bb7c7d01d690d9177ece69992feab5d5d
SHA512adeb776b949f699fc032d72e6c86e22141b98d527ad52c7723eb3e4a3209e6702665c01265e77996403f250beb6bfd2305917a82139c627a20cfc98d67cd087a
-
Filesize
2.6MB
MD5da86300540664e84459a04d65d6bb719
SHA16896ad429fad7bfd3abfdfe35221a5be24f9a315
SHA256c800a1c253321f08c490408114a75fe5e994038fc7cda58064df21c0e6a4b843
SHA512ddb400f9310d2a90d6cfaa2e138b2854cd0e839f6a4f656122328e5e9fcbcc429f4b5a184e9a0792a2e49c22f7395265e2882c3fc963343a9e387103ad0bc93f
-
Filesize
1.6MB
MD54c69ae19ec04d9955eb3652fab20356f
SHA121f2526ece26825c7c532e0878f5854b64374f39
SHA25699cb0bd61937ce0187355924fba8d0f31952d2e2de4eeea8df90ddb5ff97085c
SHA5127c7c366fce27d48922fcff87ae445ebcb5d9b76d02a067f311f4894ad93fb144c9cfc3d33b6e41dc3f1cbe91c32d797fee03b9ed9647943ac6407d8617411b0a
-
Filesize
265KB
MD5d2c017e67769b599330f4d8906b54b02
SHA1681bc9decd5da8eaab0dd86b931582e96f1f2050
SHA256b05b2cff8b6174d9363fce05507993cccad7db3b183a48cb81ecad2a0d8ca317
SHA512fc35610064106195e78772e0c9ebf59c6f3d50a2d1c5630ef9c9e8cd43f5089fb3ef83332b6995935a4e4490b81b021a94270a341bd7b22f8425dda208c9ab96