Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
Resource
win10v2004-20241007-en
General
-
Target
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
-
Size
2.6MB
-
MD5
5b845a80bef42554df3ea079f48ce7d0
-
SHA1
f53ffb3446bb3208ee2bda3fb8bc87a8e8a3b09f
-
SHA256
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562
-
SHA512
362cb12a11bb66e6c3c1116b1be75f6de0795986eeac7bf39a1d38cb86bc6780cf5debb2187b90f101965caa56f0615a649c7b5317bb4687dfe04d0f1cf1546a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe -
Executes dropped EXE 2 IoCs
pid Process 2432 ecadob.exe 216 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ7\\devbodsys.exe" b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8J\\bodaloc.exe" b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe 2432 ecadob.exe 2432 ecadob.exe 216 devbodsys.exe 216 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 60 wrote to memory of 2432 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 87 PID 60 wrote to memory of 2432 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 87 PID 60 wrote to memory of 2432 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 87 PID 60 wrote to memory of 216 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 88 PID 60 wrote to memory of 216 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 88 PID 60 wrote to memory of 216 60 b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\UserDotZ7\devbodsys.exeC:\UserDotZ7\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55e6b687e48647ba8b0e7f41ad43c9f48
SHA1e209d21951c4233fbb4bed8b41fba307f3643f5a
SHA256823415d119edbd7ed5f8789ab33b7d85176fe0395f07fcfb7b07470381b6ad20
SHA5129a0c1ea0ecf9d16884964c86d3957473d02b51549e874d8f06961eda21bfb75313e4eca3168bed2966e7298f2d563f377d4779fc937b512ca824d7852e4aac39
-
Filesize
202B
MD5dddc7fabebc2fc204e53da3573c80ca1
SHA1b9df54602ba0dd18c9e57050a84a194c752b52b3
SHA25680920a7662984b1003a0849dead2dc6d923fe9b7750e56f5c96a50798de0326c
SHA5124535dfc3fb2f5e9480d81edbd50b5a3d33c33eafef96e45e02dc687eb5a3e035ce2545a64852f5cb58d0719d1c7d1179ac01cad9703d6133f3e7efe74f0d6cf5
-
Filesize
170B
MD5b489d03f69f393ad886002a8e98d1a6d
SHA1d900401d798b7f52cad2af45edfcc6656673b840
SHA256c8b6f57aeec03bc7f6c22338eed0f3c3e94f6de0505d7f9879f9594e8600c980
SHA51255a7cd2b3e827e3e7b684cb57676e8f43f0eaccfc5a17ed993d2c5ba09ed4b64b5030b3e8a3f0225848f95373916d6057de50d48c6475987d9e3e2521e73a2a9
-
Filesize
2.6MB
MD5169f0cb40e66d67edfe78b276e0e770e
SHA1f756dfb3ff047bd1708f93d19aae851b1783110a
SHA256257858d7e8e55bebc06bd00c32e78ee7d72e80be70a2d366cd54ecf0ee3ec546
SHA512dad4ae24c9162870155d446a3e22efd405997f01d8ded0bcef375d4fa0f02a7a54925ebd12189f4263c446aadbb12313da6690027a80a7fc03783868b6f21696
-
Filesize
13KB
MD5642d5fd1c5d47e0cd3efc57772bc2053
SHA1bc41dd3d35783afbd472e73a9f63190d7e166933
SHA256354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798
SHA5123c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9
-
Filesize
53KB
MD5a44b2b9b212e50d4b2e889bc8361e636
SHA13d2b4f07a8739084e70e0c57ec43d84edf191869
SHA25674a7da2fe915218456275fc65b33ebc2131c69d7323b3ac89e61ffcad5521756
SHA512cf723930340d1ddb4cfc147e1e5c4b09a335c60bfe114728434cd84b0f93bf8a86ab3a3e463c32f21fa420e3d377710cebfd81c297880e597af23479b3192171