Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:47

General

  • Target

    b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe

  • Size

    2.6MB

  • MD5

    5b845a80bef42554df3ea079f48ce7d0

  • SHA1

    f53ffb3446bb3208ee2bda3fb8bc87a8e8a3b09f

  • SHA256

    b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562

  • SHA512

    362cb12a11bb66e6c3c1116b1be75f6de0795986eeac7bf39a1d38cb86bc6780cf5debb2187b90f101965caa56f0615a649c7b5317bb4687dfe04d0f1cf1546a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
    "C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2432
    • C:\UserDotZ7\devbodsys.exe
      C:\UserDotZ7\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotZ7\devbodsys.exe

    Filesize

    2.6MB

    MD5

    5e6b687e48647ba8b0e7f41ad43c9f48

    SHA1

    e209d21951c4233fbb4bed8b41fba307f3643f5a

    SHA256

    823415d119edbd7ed5f8789ab33b7d85176fe0395f07fcfb7b07470381b6ad20

    SHA512

    9a0c1ea0ecf9d16884964c86d3957473d02b51549e874d8f06961eda21bfb75313e4eca3168bed2966e7298f2d563f377d4779fc937b512ca824d7852e4aac39

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    dddc7fabebc2fc204e53da3573c80ca1

    SHA1

    b9df54602ba0dd18c9e57050a84a194c752b52b3

    SHA256

    80920a7662984b1003a0849dead2dc6d923fe9b7750e56f5c96a50798de0326c

    SHA512

    4535dfc3fb2f5e9480d81edbd50b5a3d33c33eafef96e45e02dc687eb5a3e035ce2545a64852f5cb58d0719d1c7d1179ac01cad9703d6133f3e7efe74f0d6cf5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    b489d03f69f393ad886002a8e98d1a6d

    SHA1

    d900401d798b7f52cad2af45edfcc6656673b840

    SHA256

    c8b6f57aeec03bc7f6c22338eed0f3c3e94f6de0505d7f9879f9594e8600c980

    SHA512

    55a7cd2b3e827e3e7b684cb57676e8f43f0eaccfc5a17ed993d2c5ba09ed4b64b5030b3e8a3f0225848f95373916d6057de50d48c6475987d9e3e2521e73a2a9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    169f0cb40e66d67edfe78b276e0e770e

    SHA1

    f756dfb3ff047bd1708f93d19aae851b1783110a

    SHA256

    257858d7e8e55bebc06bd00c32e78ee7d72e80be70a2d366cd54ecf0ee3ec546

    SHA512

    dad4ae24c9162870155d446a3e22efd405997f01d8ded0bcef375d4fa0f02a7a54925ebd12189f4263c446aadbb12313da6690027a80a7fc03783868b6f21696

  • C:\Vid8J\bodaloc.exe

    Filesize

    13KB

    MD5

    642d5fd1c5d47e0cd3efc57772bc2053

    SHA1

    bc41dd3d35783afbd472e73a9f63190d7e166933

    SHA256

    354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798

    SHA512

    3c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9

  • C:\Vid8J\bodaloc.exe

    Filesize

    53KB

    MD5

    a44b2b9b212e50d4b2e889bc8361e636

    SHA1

    3d2b4f07a8739084e70e0c57ec43d84edf191869

    SHA256

    74a7da2fe915218456275fc65b33ebc2131c69d7323b3ac89e61ffcad5521756

    SHA512

    cf723930340d1ddb4cfc147e1e5c4b09a335c60bfe114728434cd84b0f93bf8a86ab3a3e463c32f21fa420e3d377710cebfd81c297880e597af23479b3192171