Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 18:50

General

  • Target

    0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

  • Size

    3.9MB

  • MD5

    2050253ec7997ee98060c1375716ce9c

  • SHA1

    99fb10d0c4624774b32ffd62f3ee808bdb51f42e

  • SHA256

    0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e

  • SHA512

    f8f77388194ad58c19f01d7a34da5ef10949d8f89917a8d0c4c0659dba30798af637849ad7a0d01b304c1eac3baf5daaea3b0935c918af22211b17553d656317

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8:sxX7QnxrloE5dpUpSbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
    "C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5060
    • C:\SysDrv3K\aoptiec.exe
      C:\SysDrv3K\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBGF\dobxec.exe

    Filesize

    3.9MB

    MD5

    100dadb30b408c4fdb4b1dcda6db6656

    SHA1

    1b7a973b5e7db160bb8532e0aa8c5e76db30a184

    SHA256

    2d82a005ecf57f805743bb56cb75c19db9525a22b285eff5d3d5aa85cdd19196

    SHA512

    72cb26803d41de7c282121be6e80b5ae29ef711130ce03e26cb01c9bfb9b7d29515bc09e2c5e9a4739cdf9c00f544a5b0d91c1bc4ac451ca71ce7859dafc8ab1

  • C:\KaVBGF\dobxec.exe

    Filesize

    3.9MB

    MD5

    3a4274258cc455d2b47e0498798eabc6

    SHA1

    200d42e4be2428106f2c657e342ec3c396a197eb

    SHA256

    9a6f75083209b8c3eda76d388a21a4d9174c4e511db24d2c963436d3a3120803

    SHA512

    a2749f41f17bf1e8c98caeae9953ca5f95721e6e7ecee80fd3efb34d2a6fabd5170670c07d7e6df3315cfd02753cf9b86367e38de9e4d9466e37bbe10b40f83e

  • C:\SysDrv3K\aoptiec.exe

    Filesize

    3.9MB

    MD5

    c14b6e3d3840bbfd556cbc4e4e6ad7b9

    SHA1

    2ff0042f7349ee1640cc42a54ae0e6c6f90c2095

    SHA256

    d6ce120aff09d835f65e8a422bc791e0583c61bfd01f0118ed8c1e7daebb72b8

    SHA512

    c3758783582ef19f99268175c1a02f71d27386c067b62409b78b542658a920692061093ade852eef2b3ea733c7fa3d80e2d75d303c1c2512b1121ca04b4383af

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    905bff650f3e9af8b7aecdaaf73397fa

    SHA1

    8fce2c1fef392ec6525f2783df2c91e28cbc11ea

    SHA256

    9ef597c530eaffcc723da14a9f4ea50dcaed460244e6e4def546857aea3578f4

    SHA512

    c8757973e1a274fcdd7f953c6bb376656d2878f76e8c3b407eb6fe03c7f0bde91a96306b0e0f151b23ced1f4cbab986f900aa6d4a86e42b38956b2b61ff70778

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    53e02105d63f651a12ad99d434b0c691

    SHA1

    924e21bac279ccbd29f0b92f391a5dec77d9f17a

    SHA256

    db79ea91b52d41329fea356cef307ea80fe18f3e37cc651b8722fe53dbedfe39

    SHA512

    c854abeb05b9c84cfc806c52007cfed82e4a8e90fe95d6074873b4b6eeb78ae60ca6e6421f2617aa59d1fcec2b90efe8ff6aef90121a68dfd2e08bbefeba519e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.9MB

    MD5

    f1be0900ef4b2d5b66b2995bf706c516

    SHA1

    4282c51c71e05a480528896da9f11eb71b103a97

    SHA256

    aebc2abac60be5fc08b98c755262b8b23e62f276a24d4672f48a785561061778

    SHA512

    20ee8c752275c9893ce463c5e0dff62684c3a0edd903914130e4382f97eca82e2d3e590fc69f39c7d9c3899b119637e4ff9bc2c0a82a9f1976acf1321d4a9df3