Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Resource
win10v2004-20240508-en
General
-
Target
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
-
Size
2.6MB
-
MD5
2203c5fd720df2de5a72372ddcbdda13
-
SHA1
4ae371fb653954094da9d1a328d43ce680802422
-
SHA256
5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54
-
SHA512
8d1eb95e7d18f68e80f95ae638e692cbdf4a544b8687549d613a912aa71985ea9ba6bcfc0398f2be9f03d16c1865cdb0a094bccce2a8dffe3e49b04f96571ff6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe -
Executes dropped EXE 2 IoCs
pid Process 4532 sysdevbod.exe 3884 aoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGZ\\aoptiec.exe" 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLV\\dobxsys.exe" 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe 4532 sysdevbod.exe 4532 sysdevbod.exe 3884 aoptiec.exe 3884 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4044 wrote to memory of 4532 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 89 PID 4044 wrote to memory of 4532 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 89 PID 4044 wrote to memory of 4532 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 89 PID 4044 wrote to memory of 3884 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 92 PID 4044 wrote to memory of 3884 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 92 PID 4044 wrote to memory of 3884 4044 5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\UserDotGZ\aoptiec.exeC:\UserDotGZ\aoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5655b58a6db2cbe186ae662b16abf65e4
SHA1624556ccad0d4908776d0829909b60b9441a1453
SHA25641bc984a40569299dbbaa440ae5583db88711124421ad05a87251a36390e6a86
SHA512154cbce2a32cb374c80bd6023e8ad065feaeb2d4e7f34f648c98cbcebdf30e12d765940c258d4ae8b85db8be1eee69da5d08828e445243afc830df66be08911d
-
Filesize
4KB
MD5b61f1c7ad73efe910c92dd7a7c9a7a0e
SHA1da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd
SHA256b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0
SHA512224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155
-
Filesize
2.6MB
MD590611c3e333e7dfc767dbf075f3f0ba6
SHA1184149a4343382072f2c843e6e0e4dabd748c561
SHA256277796883d3b9ff70d1010c341365a455ec471e38f750eeee452e3a6d74a3693
SHA512beaede2b55cc03d0f8c30f935fefec673385cd6a3670baa0a94c679443cec4be2a9a3b65ef72543e84ec67e813870a89b3317c4947507f0540a58f62c3996900
-
Filesize
204B
MD55f3cac8a20af7abb9804396779164eed
SHA1c4a6c4e40586f0cf0d131d4ce6497f3ca817cd00
SHA2567516b5e033f712dd67a63148e6be1747004fdd3a3be3ac9d4399ed7146644373
SHA512df0e66754d5d0baf5033129bcb7d98bbc5904ac77ed937f889c5e889d998f5bc90959cf077127f3ba48a25274ce6d11fe3a7260da5b2e217401347f0d11fecd4
-
Filesize
172B
MD5d1bea6dd4e69ac5e7133a97080c012be
SHA17451f85cc201ffae7c19794ba5c479352af2b8ef
SHA256e1f91f19fb1a94bff1c4d1fa1369ac7d2400ba830315a5c76774802ef1353942
SHA5120bcbfd4667474037b663eeaae1e76b28ca01c6cc8d24cac8ba88d26392d71280801c3e3fcfb5c4117fc54d91d178178c93bb60d5cdbb6798ce771c3f1a0b9f5d
-
Filesize
2.6MB
MD5989fc7310ccf35999e4277f7415d8c45
SHA16c81ca8169f4fe6a3fee9400a8234db9d3ef8d27
SHA256db5b1dc5feebd7c1fac03d57a8fed9d3e6dbb987b39e17d9c77e0cf013fa1f90
SHA512e1220b398c940ad6635339b1c9c39e114e540321df34c6cfc984ab7a717f28268660fc78efbcc935ccf096da68d3505573c1810a8d1334572049dcb823a7c665