Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
Resource
win10v2004-20241007-en
General
-
Target
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
-
Size
2.6MB
-
MD5
8aba3bca8cd47063c4ee08a5fbe2ae70
-
SHA1
a9ac554d9f0afc834b143d779f80ec5baaa38ede
-
SHA256
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839f
-
SHA512
16a8a6dbff3e1b675775aacd8719f20efa30e5ceead4574b94b2ce4edfd3c10befb4e2f31662795ba966e3d8f425bcaebc49b6abb26d2772a1eede2b84ccd6a1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe -
Executes dropped EXE 2 IoCs
pid Process 368 ecdevdob.exe 3840 devdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU0\\devdobloc.exe" 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\bodaloc.exe" 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe 368 ecdevdob.exe 368 ecdevdob.exe 3840 devdobloc.exe 3840 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3712 wrote to memory of 368 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 88 PID 3712 wrote to memory of 368 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 88 PID 3712 wrote to memory of 368 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 88 PID 3712 wrote to memory of 3840 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 89 PID 3712 wrote to memory of 3840 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 89 PID 3712 wrote to memory of 3840 3712 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:368
-
-
C:\SysDrvU0\devdobloc.exeC:\SysDrvU0\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50dcf1744109b142489282a985ee63fca
SHA1b385d23af12211166abad9b6d6d8336e2c0d574e
SHA2562fb6f860f25775ad3b21583a85134eda9e032e5fc275b9107e21d71e860d5fd7
SHA512c4aaca0415586d78aaabd69fef4314db901a9eb7588821ce4b327bebe4c99ebac35bf603b661f5cbccb7dcb58a8b60b367205ed788e715050715e6576cb9bbbd
-
Filesize
2.6MB
MD59a9d27d53d922f68eae23e6a00f21d55
SHA1ec43be7846c77aefa1dc849eecf7682af6b21d3f
SHA256ffaedd8cba535e454095732acfb271293124bdf183165ee5378e3ea0895c1faf
SHA512ee774f3ac4d54d252aade0b847340c1ac6b65d7d2389a8633d68522b831f07c9e6c7961d89ada6afd7d85521d9e1523c88689a95d19f22f203c623d8771bd2fa
-
Filesize
204B
MD56ac4132c39a2c245b035ad29153fba6f
SHA116d9407b84c991fc144a62d13cc23db8e9089a58
SHA25648b970b48500015b0ed3cafeba021ddeec2d6982d9aa120cc2244123318c819e
SHA512209e197a9be64799156b1c2f2678e4658be6874c79c1365e34ec8e46c595ee6027d3a317722cfdf5786a85e866e5fb642e93c40906cdbe0c19e0984fc27dc8d3
-
Filesize
172B
MD591dde625ee7622215323f03fdeb2834c
SHA10dbbbef79b6e3d1b218e75c166904b6bfd34600f
SHA2564a470efe743205120fab07d4fdb37997158b589ac5a9b5b77d4cb6b1e509e7ff
SHA5123385cb0c32e873b024c1bc7731aa5fe4cc3e4a604769776294d4f41928737995781a62530b930f7fd912e7cf517a7c1b9f4ff0a131372abaea0c9325490663c0
-
Filesize
2.6MB
MD5c528c4c7c19fca816e2ff0428f9cd699
SHA1b9a1f3cf9835756374adac99b95616ae8e4f0cc6
SHA2563898bf876cde909f2f157902c06a1c724d8c8c76a80a0220e79ba59e0f6a2399
SHA512588ca43b8398a185d5520209063e7eae9b37a2f7e2a9100a0b582ec707c15cd36ffc4372b6cea767d4655d941425f72c59e8e656f204fc769b106e808c8bff4b