Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:12

General

  • Target

    3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe

  • Size

    3.2MB

  • MD5

    a2a41c9172d9662c2096854b519d8ab1

  • SHA1

    e7e46f426f56bd981532ffe3cd443d8a93fce9b2

  • SHA256

    3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5

  • SHA512

    8db50c83cf4d64717321c372d86fdef728c64b815d1b8164128c5c7cd401ede55bcf7ef6b0da86dc9bdc5bae481e7c40b1a744d54bf42a86d871c5d288cb9639

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
    "C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1280
    • C:\FilesCW\xbodloc.exe
      C:\FilesCW\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesCW\xbodloc.exe

    Filesize

    3.2MB

    MD5

    df7c77f1838101878427812c74cdd9fb

    SHA1

    12c1baca34cf69737537cedd428fd0a569808d73

    SHA256

    522883a0af871f4cdae7ba44c9ac3a52ebad11d29800a3e14e00db37d702720e

    SHA512

    5b943f93e79e1cf134a0663191795561d8a171d65655f5c2ce9dadda0e2c7f5bfe50a895cf988d6c901dbc74ed6e1f9e9bf4a8ca1ba04841f62d35f77db3632d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    ad9eb57270335ccda2debdca98d34425

    SHA1

    6583f757d5d796d02d347fcbfb82c01290c3a862

    SHA256

    5a059e37a266ab99b0b5c0913e86bf5ead015483335f7b75309453acf7d30ead

    SHA512

    7670c7379d3c8d8e1e8175c08449e6e7d5f28689c5ddc49430afbf3e0489a8a20931387ba11060738d79e3da7293899fa5c41b9211751d92020180c3cfa9f2d5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    a51b208994942e75ffdba4486d266738

    SHA1

    2d4a3453893346e1b1aff9c900f13400942e2103

    SHA256

    405c1d96065a9a5e7ce82176dfeade522f1015621dbaa08ae0a1b4070395dacf

    SHA512

    1bf7c3c91eb3bb7c6a9745612403dcae9101782c3e12b50562c94b96e6a9c41325038e73b8c863e68632e8d461e38c9f530f8604c0465ad79dc13b5f970d2879

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    3.2MB

    MD5

    e240929ce928cbcce290e035812a9c37

    SHA1

    a9cf1a884590a29f72a569c582fc763fed6d1fdd

    SHA256

    eba23899a50f16895786731b0233050ff4c19385445c98c839b451e5ba17538d

    SHA512

    c6cece84f945af91dcb044406e21e4a5387bfe63aba49fb94f196cb7b7f6205632553d0580393d65e5d43f4fb5e71be534dff9d6dac745f284fde9e64fc61894

  • C:\Vid3F\boddevsys.exe

    Filesize

    3.2MB

    MD5

    1f99a946e489a716cd3795f041ef077a

    SHA1

    000b407d2b011a1f2ff7d76b06249ac0335403b4

    SHA256

    58d326851c83e5b6ea2a0c299f4cff25e46eaea89bcc8147e77965dfd2f31c6c

    SHA512

    5e8498be8fdd91cd4ed87b6e9b47ba301a839237ca4863b247bf19431ff1ca34052025b16e55c47b1213d4b63c4a5384a791acf42ec24a6dd45b9cd710eca2d3

  • C:\Vid3F\boddevsys.exe

    Filesize

    3.2MB

    MD5

    bcca63e21e2c9474b49354456f7d37de

    SHA1

    56fede3206d3290a1f3ceeeffcc2209c5f839358

    SHA256

    86c6fc5183ec5dcaad266970616e6fab673d22a6f88a34beaebb82f993bf114c

    SHA512

    c714ae7a84fed6cb563ba0d01783f5ac8cf6eaae8f1980098f150037529fc3991967c94d765ccb0b6d44f1711bc403bd26235c7d7f2ba3f44cefa96bcd3c6daf