Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 20:56

General

  • Target

    76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe

  • Size

    2.6MB

  • MD5

    8aba3bca8cd47063c4ee08a5fbe2ae70

  • SHA1

    a9ac554d9f0afc834b143d779f80ec5baaa38ede

  • SHA256

    76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839f

  • SHA512

    16a8a6dbff3e1b675775aacd8719f20efa30e5ceead4574b94b2ce4edfd3c10befb4e2f31662795ba966e3d8f425bcaebc49b6abb26d2772a1eede2b84ccd6a1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
    "C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:368
    • C:\SysDrvU0\devdobloc.exe
      C:\SysDrvU0\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZZH\bodaloc.exe

    Filesize

    2.6MB

    MD5

    0dcf1744109b142489282a985ee63fca

    SHA1

    b385d23af12211166abad9b6d6d8336e2c0d574e

    SHA256

    2fb6f860f25775ad3b21583a85134eda9e032e5fc275b9107e21d71e860d5fd7

    SHA512

    c4aaca0415586d78aaabd69fef4314db901a9eb7588821ce4b327bebe4c99ebac35bf603b661f5cbccb7dcb58a8b60b367205ed788e715050715e6576cb9bbbd

  • C:\SysDrvU0\devdobloc.exe

    Filesize

    2.6MB

    MD5

    9a9d27d53d922f68eae23e6a00f21d55

    SHA1

    ec43be7846c77aefa1dc849eecf7682af6b21d3f

    SHA256

    ffaedd8cba535e454095732acfb271293124bdf183165ee5378e3ea0895c1faf

    SHA512

    ee774f3ac4d54d252aade0b847340c1ac6b65d7d2389a8633d68522b831f07c9e6c7961d89ada6afd7d85521d9e1523c88689a95d19f22f203c623d8771bd2fa

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    6ac4132c39a2c245b035ad29153fba6f

    SHA1

    16d9407b84c991fc144a62d13cc23db8e9089a58

    SHA256

    48b970b48500015b0ed3cafeba021ddeec2d6982d9aa120cc2244123318c819e

    SHA512

    209e197a9be64799156b1c2f2678e4658be6874c79c1365e34ec8e46c595ee6027d3a317722cfdf5786a85e866e5fb642e93c40906cdbe0c19e0984fc27dc8d3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    91dde625ee7622215323f03fdeb2834c

    SHA1

    0dbbbef79b6e3d1b218e75c166904b6bfd34600f

    SHA256

    4a470efe743205120fab07d4fdb37997158b589ac5a9b5b77d4cb6b1e509e7ff

    SHA512

    3385cb0c32e873b024c1bc7731aa5fe4cc3e4a604769776294d4f41928737995781a62530b930f7fd912e7cf517a7c1b9f4ff0a131372abaea0c9325490663c0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    c528c4c7c19fca816e2ff0428f9cd699

    SHA1

    b9a1f3cf9835756374adac99b95616ae8e4f0cc6

    SHA256

    3898bf876cde909f2f157902c06a1c724d8c8c76a80a0220e79ba59e0f6a2399

    SHA512

    588ca43b8398a185d5520209063e7eae9b37a2f7e2a9100a0b582ec707c15cd36ffc4372b6cea767d4655d941425f72c59e8e656f204fc769b106e808c8bff4b