Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:58

General

  • Target

    ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe

  • Size

    2.6MB

  • MD5

    15b92c89120936bf3cc7d30ee468c240

  • SHA1

    2a5257b404586fe1af8e3007d9d8a1f68b7c39cf

  • SHA256

    ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236f

  • SHA512

    e72bc15f713f675b5319dfde96366b90c13e1d3d0aaefb6a8f9ca0a91f99d9e7f003b76d9f0a0913685998de460fda9e936f2161baf1e43a1227856d8134f425

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
    "C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3612
    • C:\SysDrv68\devbodloc.exe
      C:\SysDrv68\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint2O\bodaloc.exe

    Filesize

    2.6MB

    MD5

    303b307276dd29f1f8dfbd38549ed1bb

    SHA1

    f710a41926631e06dab01666a1130f39b40e4cea

    SHA256

    6f46e5d6db4932010bef427521575c827cec17fd995220680dab7796a06a4d30

    SHA512

    6aad15bdc7d24357d6643bbd259107a8f75368067f51d0141b80c116b620fc4f4ac3b28959a56cfb04a8a2a0c538dd217121d524d31c60724a8796e49a22c129

  • C:\Mint2O\bodaloc.exe

    Filesize

    2.6MB

    MD5

    06e2e9207517673319e7cfe17b6d36ba

    SHA1

    87ad64c872fd68deb5093263a3250c5644a5934d

    SHA256

    57531a697780f6200f5230412c30e1f6ffc7bd35ef2089c88fdb18197cb70e85

    SHA512

    56da74f51d9b534bea9a1a93f1c0d6eb05296bb5a5ab95f6f308f4aba3016f819c42357d6fbced9d8e3100419bedb5b47ea3be1ef96f27a5cd05ae6a1262df11

  • C:\SysDrv68\devbodloc.exe

    Filesize

    2.6MB

    MD5

    2e0a4a7ccbc58b27e2167d9a09f0483d

    SHA1

    230dd356d8df019a8836c7178b1b1e980f3b257d

    SHA256

    71c12cbd1f4745b0ae34fb3276d21874d8318e1a3cb98d0dea86acc71622173d

    SHA512

    3e79591cad3b02928d2babb7f7e059374a0dae991243917b9d31f272aa52327d2881875810af9deb36adc9add69b281e4f64babc5f2bcfde75266651267ef97b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    fc893a099681b6820a664cc9ded89444

    SHA1

    6b53c014a11870e2525a7e0bda6ff4c0bc11424c

    SHA256

    2b58304619b9f0f07826dd5ec25484c9ce83f179cb5a1d5c39c4e8aa337b48ca

    SHA512

    b365010c63c7f7462ba6e11934fe3c967dafebda53faa7615130b1cd3830c14dae9df27b710c28b9b60d090f8e1fe772639960c744b963a0564f32d6b7811ed5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    a03e6643c7e69b1ce51f263f03ade424

    SHA1

    d5cb52a08e58566ae4108521a533532c9ee4ee70

    SHA256

    6555ffcddf7aa3584b2a84a8ea19147adbd9286be9c4466f1d2d1e83c5bae758

    SHA512

    f1379042e526d94bd7523799d98cb189925ad98c0e1f044266d7388e700621a5bd98ded705a1266ac47748b170ddf39de6d652426b4c0c03e8e2c940c39ebcb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    42472c97ae690a783407696e705512c2

    SHA1

    9ae503015a10ac10215f510cd963ce50bcf030a4

    SHA256

    5488aa257d3d80eac18ec0f7692edd2d8f39aee471a0b9f2b8f61d37c86e7bf6

    SHA512

    27e6b4fedf76cab37c3fd05202cef550560e40d3cfa13291d59d08a0a656b51f1602fded405a17004f0085f9b9e1768d8c7a039247c305a268a2da06251d3aa7