Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
Resource
win10v2004-20241007-en
General
-
Target
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
-
Size
2.6MB
-
MD5
889d175a3c1a9155468b3343f7f3c690
-
SHA1
7a634f4a8e2951f8aacb8896008452bfdb474cc5
-
SHA256
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922d
-
SHA512
9060eaf5c7b1fa3bff8af3446e605f7a57123a45c3ea305254cabbfbdefec4fa8d4b71092794a6e7baed9d3423aed7d7e80fbdf70e3c6a316e12b15bb160ffc1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 locdevopti.exe 1248 adobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe09\\adobec.exe" ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJR\\dobxloc.exe" ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe 2952 locdevopti.exe 2952 locdevopti.exe 1248 adobec.exe 1248 adobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3408 wrote to memory of 2952 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 89 PID 3408 wrote to memory of 2952 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 89 PID 3408 wrote to memory of 2952 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 89 PID 3408 wrote to memory of 1248 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 92 PID 3408 wrote to memory of 1248 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 92 PID 3408 wrote to memory of 1248 3408 ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\Adobe09\adobec.exeC:\Adobe09\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a151490713e9d4f26aa310f6fd933624
SHA105ce1492908c31a54dd24914fb3a130a51f85460
SHA2569ddd58b78a546ac898a1ec326a6a67c53e7240e3e6edad34690a9f0c8944ea61
SHA512098cd85f34bbe33dad91d7ae8f7aeda4c72183f15fa2d0d9e27778e96fd3d4f353466e979e39c543217b6c91a87a1d866edb4eff841c399fe9498ef0e8aa6799
-
Filesize
2.6MB
MD5470dd0f2105e9839a881f41f4a977976
SHA15dba250838823390de8c0b7cb7e29ad89ccf0bea
SHA25618889d7e43c6104caae98bcb5837156b5a7bbad071aa7987a4b566e5a459b455
SHA5125fa59711a8d7995c81aefe4546decf2aeb6435ba546d9b1f51852c817cb8a0129fad3139bbb67f9bccee51d92eec9a09ddd59bc144195a547143652a57a3ba52
-
Filesize
72KB
MD56864709a3492d6eecc2901d378a3923c
SHA1f819f76efb6013645614cdbd8b40aa065381ff65
SHA25690aac658de2f07e728626f6fa857aeea35903288dedd81dec061d2e73f7a8173
SHA5122e669b559d3add060665fc67f21dd9cff43fec0262fe9cfcfb9b48b9185a5852e90db226707a161d827534b304670d064451f932f174aea6d41625ee74ad8c1f
-
Filesize
202B
MD55c7bac193bfbc09abe0f9417f2d469da
SHA1b552d728ea434118f9174a30b2f81566d5387ff8
SHA25681157c6bd89dfe6c0343b2a2ff733a2d92c79335fc5d1fc890d31cd0629e0d17
SHA5122c2731b528645056f3aebd478cd26f6e339e97a69d021e28755276becf3dd3910fac2398360afef79201e5571939eaa0e048dac59d239f53e0c2031286cbf431
-
Filesize
170B
MD5549856c44910ab30e45fe7fe1083ffb9
SHA106195baf8a35dc93ade96c133043b07ba7e8da6c
SHA2563bc57ba1ef5ae459c734908388ade6f188790a79e07a8865d8ab22ab2fef035f
SHA51293170cf6dda6c34b8e5f23af9e08831929b3665f3683c571ad92c6d532b1e9961167fb924a9c82211aafabdcd02a886f4738c345ea27ab0efaee7787f05c2fa6
-
Filesize
2.6MB
MD5f9183ad9bb477608307e7c423d971c56
SHA150c360d2f9e310e6082b161d9d8c7afa15f6ec53
SHA2562680fe1f156f75f10f4df523d3ab03d9c8637453bd971b2fcd73c91d45813d8f
SHA512702bc52e810db1d88666871159ba3254c7c19bfc0e837c02d3afb87cb885638ea9f5cd88d4a1dc7f8d76701d659c02ec9de261c08b40aa67edef735a02423f73