Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:38

General

  • Target

    46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe

  • Size

    2.6MB

  • MD5

    3359108b78cd44cab95b299de1416f5b

  • SHA1

    76905f1a3e52c8c1baf47cdf31b42563792e602c

  • SHA256

    46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196

  • SHA512

    90722e1d71595508d44a36425f97976b4c68035bc738b7f41d39a094fcf4d2cbc1844c6052497406293751066fbe09c31e3f899ce0873608c1b0c82289663795

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
    "C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1520
    • C:\IntelprocHE\xbodec.exe
      C:\IntelprocHE\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocHE\xbodec.exe

    Filesize

    2.6MB

    MD5

    b0502b0f02db5f64b51acebd351ce579

    SHA1

    846e4a58efb7c2a2f490db4a94388041bb98530e

    SHA256

    ead6f4cd6f5da52184e0c2328f905f849a28cdb04370c2ae36106cb4855b9271

    SHA512

    338fcdeee2765797525c1162bb79a5c0aabf7503a487237cf7f97cd07350ce53aab9ac691789d245d60073e4092f372acffcfb72c4ea7c87e12d63f1cd8d1dfe

  • C:\LabZGP\dobxec.exe

    Filesize

    2.6MB

    MD5

    1d91cade8744a962ece545864bafdbda

    SHA1

    fc5d863f2088f8ad6b5d783331087b64b15f8537

    SHA256

    adddf9a290f3e09fcd3f86ac16e3c136df65bf1f9b5eab9a25647a53dd419a02

    SHA512

    c682bebf1b51bf8ed89a06e76599bd3569f8689612480aae86ab927d9ac30b2c672a283f3ce3db097dc36fdd925bb1b59f4ef78e802db175a25a1c0201056c30

  • C:\LabZGP\dobxec.exe

    Filesize

    2.6MB

    MD5

    84ca470cfed14f46ec04e624d3e1f2d8

    SHA1

    1379403db7e7782b2a3e914287e831af8d951884

    SHA256

    9f7620653cc42f4e50fdedcf184eadc0f055c5d2211f97f2f43618b9987cd261

    SHA512

    eb43b89a1603c55568f414309a2a7cf8e98e6dda97e7230cf3df594dde1edb7defea20205009a389b3879bf6eca86e3cf9e41a2ac34687eb3a836967a210a542

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    e0d7ea5f22cf1fd389d4910d097885dd

    SHA1

    f6101e1cde674f27489aa5bf4c496e23006d149d

    SHA256

    03ed0f64e656f771fface3338dba3219199e2e452ccfaee3dc30d5e15d47deff

    SHA512

    cd4f3a7673a9384e007b52a60283b78e81eb11723c987bd8e7ff0400ff29a4fabbbc107fe6c206070ef6cafaaf7fba3b33102bb00d1be7e35639ad2873382118

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    5bdf40578ca4f1f868fcae0a48638d7e

    SHA1

    ac3f78f2c07b10d9e1a8a619160a9c1f4a1d1394

    SHA256

    455b914a8eb7447c285fc0e3af2b1f0b383c29c5bf5e561a625bcb3ee7bdb7fa

    SHA512

    08b4b00924f85e3baee9eb90d0777b48328f3f4b401617440865ba2b9aa5d3f76b3434ae8d06d573ce17a153a78cba3c9139a3e3fe809c4892c0d0e53c879026

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    07f9c63aa83b0afce20afca758ffdf73

    SHA1

    d76c3f92f9f5acf938a019a0b3f6c08355a6b298

    SHA256

    43c5c7236f8a6f84cd559fa03751b4c2c2eb1cb8e1cfbd994c8f1b0e06b2f5c6

    SHA512

    be30acaae22583524dfed1439e1506bf959cf0f75ccec23bacedbfbd073f8b102bf09f28ae4dc406ba4997b0662ede648e89b13a3dd16b4a63636167c2ce8c3d