Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
Resource
win10v2004-20241007-en
General
-
Target
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe
-
Size
2.6MB
-
MD5
3359108b78cd44cab95b299de1416f5b
-
SHA1
76905f1a3e52c8c1baf47cdf31b42563792e602c
-
SHA256
46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196
-
SHA512
90722e1d71595508d44a36425f97976b4c68035bc738b7f41d39a094fcf4d2cbc1844c6052497406293751066fbe09c31e3f899ce0873608c1b0c82289663795
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe -
Executes dropped EXE 2 IoCs
pid Process 1520 locaopti.exe 4788 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHE\\xbodec.exe" 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGP\\dobxec.exe" 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe 1520 locaopti.exe 1520 locaopti.exe 4788 xbodec.exe 4788 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3516 wrote to memory of 1520 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 88 PID 3516 wrote to memory of 1520 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 88 PID 3516 wrote to memory of 1520 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 88 PID 3516 wrote to memory of 4788 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 89 PID 3516 wrote to memory of 4788 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 89 PID 3516 wrote to memory of 4788 3516 46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"C:\Users\Admin\AppData\Local\Temp\46881c4fbfb757bf00ee6581931c029c16263fdf6da13bad813487e7f494c196.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\IntelprocHE\xbodec.exeC:\IntelprocHE\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b0502b0f02db5f64b51acebd351ce579
SHA1846e4a58efb7c2a2f490db4a94388041bb98530e
SHA256ead6f4cd6f5da52184e0c2328f905f849a28cdb04370c2ae36106cb4855b9271
SHA512338fcdeee2765797525c1162bb79a5c0aabf7503a487237cf7f97cd07350ce53aab9ac691789d245d60073e4092f372acffcfb72c4ea7c87e12d63f1cd8d1dfe
-
Filesize
2.6MB
MD51d91cade8744a962ece545864bafdbda
SHA1fc5d863f2088f8ad6b5d783331087b64b15f8537
SHA256adddf9a290f3e09fcd3f86ac16e3c136df65bf1f9b5eab9a25647a53dd419a02
SHA512c682bebf1b51bf8ed89a06e76599bd3569f8689612480aae86ab927d9ac30b2c672a283f3ce3db097dc36fdd925bb1b59f4ef78e802db175a25a1c0201056c30
-
Filesize
2.6MB
MD584ca470cfed14f46ec04e624d3e1f2d8
SHA11379403db7e7782b2a3e914287e831af8d951884
SHA2569f7620653cc42f4e50fdedcf184eadc0f055c5d2211f97f2f43618b9987cd261
SHA512eb43b89a1603c55568f414309a2a7cf8e98e6dda97e7230cf3df594dde1edb7defea20205009a389b3879bf6eca86e3cf9e41a2ac34687eb3a836967a210a542
-
Filesize
203B
MD5e0d7ea5f22cf1fd389d4910d097885dd
SHA1f6101e1cde674f27489aa5bf4c496e23006d149d
SHA25603ed0f64e656f771fface3338dba3219199e2e452ccfaee3dc30d5e15d47deff
SHA512cd4f3a7673a9384e007b52a60283b78e81eb11723c987bd8e7ff0400ff29a4fabbbc107fe6c206070ef6cafaaf7fba3b33102bb00d1be7e35639ad2873382118
-
Filesize
171B
MD55bdf40578ca4f1f868fcae0a48638d7e
SHA1ac3f78f2c07b10d9e1a8a619160a9c1f4a1d1394
SHA256455b914a8eb7447c285fc0e3af2b1f0b383c29c5bf5e561a625bcb3ee7bdb7fa
SHA51208b4b00924f85e3baee9eb90d0777b48328f3f4b401617440865ba2b9aa5d3f76b3434ae8d06d573ce17a153a78cba3c9139a3e3fe809c4892c0d0e53c879026
-
Filesize
2.6MB
MD507f9c63aa83b0afce20afca758ffdf73
SHA1d76c3f92f9f5acf938a019a0b3f6c08355a6b298
SHA25643c5c7236f8a6f84cd559fa03751b4c2c2eb1cb8e1cfbd994c8f1b0e06b2f5c6
SHA512be30acaae22583524dfed1439e1506bf959cf0f75ccec23bacedbfbd073f8b102bf09f28ae4dc406ba4997b0662ede648e89b13a3dd16b4a63636167c2ce8c3d