Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
Resource
win10v2004-20241007-en
General
-
Target
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
-
Size
3.2MB
-
MD5
a2a41c9172d9662c2096854b519d8ab1
-
SHA1
e7e46f426f56bd981532ffe3cd443d8a93fce9b2
-
SHA256
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5
-
SHA512
8db50c83cf4d64717321c372d86fdef728c64b815d1b8164128c5c7cd401ede55bcf7ef6b0da86dc9bdc5bae481e7c40b1a744d54bf42a86d871c5d288cb9639
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe -
Executes dropped EXE 2 IoCs
pid Process 1280 ecdevdob.exe 2696 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCW\\xbodloc.exe" 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\boddevsys.exe" 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe 1280 ecdevdob.exe 1280 ecdevdob.exe 2696 xbodloc.exe 2696 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1280 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 87 PID 2428 wrote to memory of 1280 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 87 PID 2428 wrote to memory of 1280 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 87 PID 2428 wrote to memory of 2696 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 90 PID 2428 wrote to memory of 2696 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 90 PID 2428 wrote to memory of 2696 2428 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
C:\FilesCW\xbodloc.exeC:\FilesCW\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5df7c77f1838101878427812c74cdd9fb
SHA112c1baca34cf69737537cedd428fd0a569808d73
SHA256522883a0af871f4cdae7ba44c9ac3a52ebad11d29800a3e14e00db37d702720e
SHA5125b943f93e79e1cf134a0663191795561d8a171d65655f5c2ce9dadda0e2c7f5bfe50a895cf988d6c901dbc74ed6e1f9e9bf4a8ca1ba04841f62d35f77db3632d
-
Filesize
202B
MD5ad9eb57270335ccda2debdca98d34425
SHA16583f757d5d796d02d347fcbfb82c01290c3a862
SHA2565a059e37a266ab99b0b5c0913e86bf5ead015483335f7b75309453acf7d30ead
SHA5127670c7379d3c8d8e1e8175c08449e6e7d5f28689c5ddc49430afbf3e0489a8a20931387ba11060738d79e3da7293899fa5c41b9211751d92020180c3cfa9f2d5
-
Filesize
170B
MD5a51b208994942e75ffdba4486d266738
SHA12d4a3453893346e1b1aff9c900f13400942e2103
SHA256405c1d96065a9a5e7ce82176dfeade522f1015621dbaa08ae0a1b4070395dacf
SHA5121bf7c3c91eb3bb7c6a9745612403dcae9101782c3e12b50562c94b96e6a9c41325038e73b8c863e68632e8d461e38c9f530f8604c0465ad79dc13b5f970d2879
-
Filesize
3.2MB
MD5e240929ce928cbcce290e035812a9c37
SHA1a9cf1a884590a29f72a569c582fc763fed6d1fdd
SHA256eba23899a50f16895786731b0233050ff4c19385445c98c839b451e5ba17538d
SHA512c6cece84f945af91dcb044406e21e4a5387bfe63aba49fb94f196cb7b7f6205632553d0580393d65e5d43f4fb5e71be534dff9d6dac745f284fde9e64fc61894
-
Filesize
3.2MB
MD51f99a946e489a716cd3795f041ef077a
SHA1000b407d2b011a1f2ff7d76b06249ac0335403b4
SHA25658d326851c83e5b6ea2a0c299f4cff25e46eaea89bcc8147e77965dfd2f31c6c
SHA5125e8498be8fdd91cd4ed87b6e9b47ba301a839237ca4863b247bf19431ff1ca34052025b16e55c47b1213d4b63c4a5384a791acf42ec24a6dd45b9cd710eca2d3
-
Filesize
3.2MB
MD5bcca63e21e2c9474b49354456f7d37de
SHA156fede3206d3290a1f3ceeeffcc2209c5f839358
SHA25686c6fc5183ec5dcaad266970616e6fab673d22a6f88a34beaebb82f993bf114c
SHA512c714ae7a84fed6cb563ba0d01783f5ac8cf6eaae8f1980098f150037529fc3991967c94d765ccb0b6d44f1711bc403bd26235c7d7f2ba3f44cefa96bcd3c6daf