Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:34

General

  • Target

    d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe

  • Size

    2.6MB

  • MD5

    a8e06e00a02d3af625f54ccc0436a880

  • SHA1

    21fa0fd5b7de07759501a7f153fe4057b4f715f6

  • SHA256

    d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6

  • SHA512

    c2c3aaed448e48740ca44c010cba4ab450970528e01b12769e9777c99ecfb24d03e13691f8205a40feaf2ebe8a73e472c41871cb4c3c643f634244c3c02004c9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2900
    • C:\AdobeKP\xbodloc.exe
      C:\AdobeKP\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeKP\xbodloc.exe

    Filesize

    2.6MB

    MD5

    394a81baa5c33277860d8efb5bbef6bb

    SHA1

    0ea2876ba93f5ff54fd6c9517fa6f74fde430cb7

    SHA256

    1994c354dd141c1b3ee5740f50e7a99387e5d29284eaab3a3d413a0da367bf86

    SHA512

    a2f1efdaf7c5caf81bc184fbcbff3283989e05fe9cbd70ba59808f734fbd4e66ec8116dcfc21773d7bb078ba537beb0bf01de478f0ed02299ea751e4d76f8766

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    0b668ada093c59ab54cb04e2d2156ab6

    SHA1

    7fd6240427ccf02c3c567ca56ccee3f6e2497c19

    SHA256

    dabf9ea1e32488aa3e8e1d02b621d0a6ff2cad91401cb56d9da08b84237af27a

    SHA512

    45391a00884125a1fd3cd9b748dfa09f0c42f8103fd1765ed3675231d92b180f51cc90343f6ff764b3c08e3ce60135f8c7d2cfc808e1fcb85f663639a275924c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    75914ec5f28e1ffe8b0b6d6c7a12d09e

    SHA1

    b99e14d4e4d9975a6b30311cdbea958ead71c336

    SHA256

    0fc280959805515cde93c541dc36ed4bb7c7d01d690d9177ece69992feab5d5d

    SHA512

    adeb776b949f699fc032d72e6c86e22141b98d527ad52c7723eb3e4a3209e6702665c01265e77996403f250beb6bfd2305917a82139c627a20cfc98d67cd087a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    da86300540664e84459a04d65d6bb719

    SHA1

    6896ad429fad7bfd3abfdfe35221a5be24f9a315

    SHA256

    c800a1c253321f08c490408114a75fe5e994038fc7cda58064df21c0e6a4b843

    SHA512

    ddb400f9310d2a90d6cfaa2e138b2854cd0e839f6a4f656122328e5e9fcbcc429f4b5a184e9a0792a2e49c22f7395265e2882c3fc963343a9e387103ad0bc93f

  • C:\VidVM\dobasys.exe

    Filesize

    1.6MB

    MD5

    4c69ae19ec04d9955eb3652fab20356f

    SHA1

    21f2526ece26825c7c532e0878f5854b64374f39

    SHA256

    99cb0bd61937ce0187355924fba8d0f31952d2e2de4eeea8df90ddb5ff97085c

    SHA512

    7c7c366fce27d48922fcff87ae445ebcb5d9b76d02a067f311f4894ad93fb144c9cfc3d33b6e41dc3f1cbe91c32d797fee03b9ed9647943ac6407d8617411b0a

  • C:\VidVM\dobasys.exe

    Filesize

    265KB

    MD5

    d2c017e67769b599330f4d8906b54b02

    SHA1

    681bc9decd5da8eaab0dd86b931582e96f1f2050

    SHA256

    b05b2cff8b6174d9363fce05507993cccad7db3b183a48cb81ecad2a0d8ca317

    SHA512

    fc35610064106195e78772e0c9ebf59c6f3d50a2d1c5630ef9c9e8cd43f5089fb3ef83332b6995935a4e4490b81b021a94270a341bd7b22f8425dda208c9ab96