Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
Resource
win10v2004-20240419-en
General
-
Target
085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe
-
Size
3.1MB
-
MD5
4c5d0fbae00c38eed59d9199f4e2dcbf
-
SHA1
e5e072dfa48b7afb272108d63f11897a818cce82
-
SHA256
085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b
-
SHA512
c8372a26491237538d9df3f4e20c2589991534fb7e38cdbbd98e39b6a34379974bae865b74de818551d3e27c2f0d78fc94c8800565502c2fb6889e99033a5f28
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8:sxX7QnxrloE5dpUpsbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe -
Executes dropped EXE 2 IoCs
pid Process 2484 sysdevbod.exe 3036 aoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMC\\aoptiec.exe" 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHY\\optixloc.exe" 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe 2484 sysdevbod.exe 3036 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2484 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 28 PID 2204 wrote to memory of 2484 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 28 PID 2204 wrote to memory of 2484 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 28 PID 2204 wrote to memory of 2484 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 28 PID 2204 wrote to memory of 3036 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 29 PID 2204 wrote to memory of 3036 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 29 PID 2204 wrote to memory of 3036 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 29 PID 2204 wrote to memory of 3036 2204 085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe"C:\Users\Admin\AppData\Local\Temp\085e324e016843d9b4a79c7644cbd3b00ed3daf4a814290ba91206704330390b.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\IntelprocMC\aoptiec.exeC:\IntelprocMC\aoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f17f9948dcb9be9cac69635ee703c234
SHA14c0aa750b67e171e1aa73556aa5c0fc62753ed26
SHA2568add0b98ad33826fdf7e2df91d3a6d6ad3e6c69bf6da77f131f96a688958f05f
SHA5125263d5aeff2e905af422f096b854e8a9b5cfd905a6f91ddd9ddbdb2513e63816ce478b1407df5f648f0a3857f885738a2a0b6e620916fc7317eab6c60b9c992f
-
Filesize
1.9MB
MD5eeb51321b8c3387256b13c7b8835430d
SHA1b36f4521fab652fbb0aefbcc8275a4b7ba2daacf
SHA25626acb767111dde1c5555a2387960dae3c4bcd89271ec57866eab83dc121ebd15
SHA51207c8b8f993112464f90bb084eac2303657a134a154a50b7b5f0a51ff839fc51aa3947708eed09d7f73030a773e036d291a5b9f859a5359d0bd4c5abe36492ab8
-
Filesize
73KB
MD5dc15e86e319ef185540511b77b43aa8f
SHA18a43b3cafc32391559f9308331f6eeb2dc06f750
SHA256511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6
SHA512c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667
-
Filesize
175B
MD5471b8d3fd51f67f0bea31c828be0b065
SHA1debf51b4597d75f2af9dbec2908f6d0c6c7f5494
SHA25665cd88e23cf6e7cba5da6d62c65121aaace9740ba9063d6361186ff91051ae2b
SHA512a1fb0df7faed3e9fe4f185267ba992fc5143e8d44cdb0915af554db7c07ddeca4b7ae19e74bb8b0937dd6303978a10ee44223f13e9c0807b7978ba99403d4939
-
Filesize
207B
MD5ef92727a42fecac19f90a892dc86e2db
SHA153f4975ebdf686c736dd19902f1e659f08dac183
SHA25679f8dd512e2ccb9dd30f23cd79cfc43791f38e27ebe3a1fc11ec58b2c105d436
SHA5128086727cdaef208852ad3bbc5b04b7bcda3bb9b20563bc8f0caf97b7ecd92c2b41ae1366419cb2a5b5342275e6e017ebd9ca9c6ef4a57a19a3cd6c30a36453bf
-
Filesize
3.1MB
MD57021c233cea00c12963e8bd945220c3b
SHA1358926ece243899faa23f2e5f929f8bc8b38764b
SHA25637f293dee7f07fe83a0a0c3b8513805201842b04b133bd931a0f4a0b583b11d2
SHA5126f9f2ffe7b9c68b3321f894aba2197a251c03aa8b07393c8e1bff434f964718efd004cc1dda314513998379f9cb686942771288092adad339d8ead00e162fe31