Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
Resource
win10v2004-20241007-en
General
-
Target
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
-
Size
2.6MB
-
MD5
e7b4c7419fe3b6abef29abf8b4158d76
-
SHA1
7ded70c2b2421e82b5a97e61515d8ebe72028d91
-
SHA256
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c
-
SHA512
586387b7bc3e3fc0f901616a372cf6c64bd3eba5943914427199b514ff749bc941ef31053210d76d28dad64c22e0c0954dce325f5338cd367351e3fa1f3bcb74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe -
Executes dropped EXE 2 IoCs
pid Process 1296 ecadob.exe 4408 devdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEC\\optixsys.exe" 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLX\\devdobloc.exe" 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe 1296 ecadob.exe 1296 ecadob.exe 4408 devdobloc.exe 4408 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4112 wrote to memory of 1296 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 87 PID 4112 wrote to memory of 1296 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 87 PID 4112 wrote to memory of 1296 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 87 PID 4112 wrote to memory of 4408 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 88 PID 4112 wrote to memory of 4408 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 88 PID 4112 wrote to memory of 4408 4112 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1296
-
-
C:\UserDotLX\devdobloc.exeC:\UserDotLX\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD585b1c4d1f752a226debd7fb43c853b96
SHA188f87ce59d7ff1b6dc4616717babf6ee2c6cc0fe
SHA256510b64b9e2cd6a06acded41609d538dcbf33f0ebf09dc594e0d1f3f2f85d91e6
SHA512e06b5ba9c9eeaa49d32e9aed48d22e87fd9eab1ac50af2bea22b7e386f7e4773c772907a1d8496898e459236001c29406768fb34b4d9b9d6e460b465c36731dd
-
Filesize
603KB
MD56eb07a56cc7b1f82a8460375d9a03f3f
SHA153b16784d04cb731e87fcb6ec2ea14dc53ab49ed
SHA25620a8837dbb3ddfc0071f863cad93cf282d0395b2d8103a8fe8194dccbddc4245
SHA5125a0a0f428e9207b6019d7a1d0953bdf43191b8eb0cb280670cf809fff082b5a3821f33fcd168a66338e9d16086c0b9f3742690ef5db4e0f66bd69550ab58f682
-
Filesize
2.6MB
MD583daaeae6dd76ba6d4ed466dc7a6f5a2
SHA1779ff48645068044d59ec1d06e512315345010d5
SHA256bc80bbe40b1251cd8abeb06c3934d0aa90c6a8eb40824202a39f1de755ccb87e
SHA51275f9a3ded7d8826a9bdf3c73a3f2a1ace1a0efe847bfd9f17ae748d58f1ce00fd4a93589361cb3a98da1678835a86ba257d2786dcba106369619750cb66d6975
-
Filesize
204B
MD5db28aebc37103645f7a83d57e7d07902
SHA10b1b8704b176fb2ff70a6784d7b4e1a21bf798ff
SHA256238abec2af50c3e96d9aac7d5855c21c57c326d449e8db7c5d7c3b791dc859ee
SHA512b909ff905fcd17737459c1a77a3361f16be5077f6d1f23ff994825debfd11d9298fbea950bbc77576fc10b95480c906058e102dc358886f1da75851feeb7d2d6
-
Filesize
172B
MD54d602bb0a7707030ac8c3509dfb9c7fc
SHA1d50d8fa4d3560d37265cbba09b9c6ed552e06273
SHA256d502fe8a30449ce13667b982330b576fc679169b900c332140e6f82719287240
SHA5124c5a741d27a59c0bda0cc98b8ef41a9b869337e6ef5431ff892cd2839ebaaeecea11490f8dfa344ca523036ce14b5f1f024c3fa9fbc0e93040de61bf91b21111
-
Filesize
2.6MB
MD58a5a6f7ca8bed35cb8efcc368f7af5ea
SHA16c5894f20220276f74601d4225b9a1b2fc1f9dac
SHA2568f0bc24531895220d51dfd52b059a35394549755a43e581e49b0a423eb4beea6
SHA5126a946ecdd4492a31156c2121e9f741c9b6f31d66578b9720bfa107a96fad5a9ae5dff60fc5c20f2d46a20b5145612daa438f318753dcaef537f01577e36b1f7a