Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:58
Static task
static1
Behavioral task
behavioral1
Sample
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
Resource
win10v2004-20241007-en
General
-
Target
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
-
Size
2.6MB
-
MD5
15b92c89120936bf3cc7d30ee468c240
-
SHA1
2a5257b404586fe1af8e3007d9d8a1f68b7c39cf
-
SHA256
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236f
-
SHA512
e72bc15f713f675b5319dfde96366b90c13e1d3d0aaefb6a8f9ca0a91f99d9e7f003b76d9f0a0913685998de460fda9e936f2161baf1e43a1227856d8134f425
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe -
Executes dropped EXE 2 IoCs
pid Process 3612 ecaopti.exe 2668 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2O\\bodaloc.exe" ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv68\\devbodloc.exe" ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe 3612 ecaopti.exe 3612 ecaopti.exe 2668 devbodloc.exe 2668 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3612 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 89 PID 1064 wrote to memory of 3612 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 89 PID 1064 wrote to memory of 3612 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 89 PID 1064 wrote to memory of 2668 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 90 PID 1064 wrote to memory of 2668 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 90 PID 1064 wrote to memory of 2668 1064 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
-
C:\SysDrv68\devbodloc.exeC:\SysDrv68\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5303b307276dd29f1f8dfbd38549ed1bb
SHA1f710a41926631e06dab01666a1130f39b40e4cea
SHA2566f46e5d6db4932010bef427521575c827cec17fd995220680dab7796a06a4d30
SHA5126aad15bdc7d24357d6643bbd259107a8f75368067f51d0141b80c116b620fc4f4ac3b28959a56cfb04a8a2a0c538dd217121d524d31c60724a8796e49a22c129
-
Filesize
2.6MB
MD506e2e9207517673319e7cfe17b6d36ba
SHA187ad64c872fd68deb5093263a3250c5644a5934d
SHA25657531a697780f6200f5230412c30e1f6ffc7bd35ef2089c88fdb18197cb70e85
SHA51256da74f51d9b534bea9a1a93f1c0d6eb05296bb5a5ab95f6f308f4aba3016f819c42357d6fbced9d8e3100419bedb5b47ea3be1ef96f27a5cd05ae6a1262df11
-
Filesize
2.6MB
MD52e0a4a7ccbc58b27e2167d9a09f0483d
SHA1230dd356d8df019a8836c7178b1b1e980f3b257d
SHA25671c12cbd1f4745b0ae34fb3276d21874d8318e1a3cb98d0dea86acc71622173d
SHA5123e79591cad3b02928d2babb7f7e059374a0dae991243917b9d31f272aa52327d2881875810af9deb36adc9add69b281e4f64babc5f2bcfde75266651267ef97b
-
Filesize
203B
MD5fc893a099681b6820a664cc9ded89444
SHA16b53c014a11870e2525a7e0bda6ff4c0bc11424c
SHA2562b58304619b9f0f07826dd5ec25484c9ce83f179cb5a1d5c39c4e8aa337b48ca
SHA512b365010c63c7f7462ba6e11934fe3c967dafebda53faa7615130b1cd3830c14dae9df27b710c28b9b60d090f8e1fe772639960c744b963a0564f32d6b7811ed5
-
Filesize
171B
MD5a03e6643c7e69b1ce51f263f03ade424
SHA1d5cb52a08e58566ae4108521a533532c9ee4ee70
SHA2566555ffcddf7aa3584b2a84a8ea19147adbd9286be9c4466f1d2d1e83c5bae758
SHA512f1379042e526d94bd7523799d98cb189925ad98c0e1f044266d7388e700621a5bd98ded705a1266ac47748b170ddf39de6d652426b4c0c03e8e2c940c39ebcb0
-
Filesize
2.6MB
MD542472c97ae690a783407696e705512c2
SHA19ae503015a10ac10215f510cd963ce50bcf030a4
SHA2565488aa257d3d80eac18ec0f7692edd2d8f39aee471a0b9f2b8f61d37c86e7bf6
SHA51227e6b4fedf76cab37c3fd05202cef550560e40d3cfa13291d59d08a0a656b51f1602fded405a17004f0085f9b9e1768d8c7a039247c305a268a2da06251d3aa7