Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 22:47

General

  • Target

    6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

  • Size

    3.0MB

  • MD5

    5e6ce16ce37d802d8a0a0c1b4f6484fc

  • SHA1

    967c73724d5be7496bde1204ab585e9e3af51824

  • SHA256

    6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588

  • SHA512

    a374ff050da7297c66254ba87ce86b82aff416e424776af13f19b76c52786fde820883833558b94d11379e4d22d142ffcfb464fe4099a59da2edd877fd893520

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNX:sxX7QnxrloE5dpUpKbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
    "C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2148
    • C:\UserDotZI\devoptisys.exe
      C:\UserDotZI\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintNK\optiaec.exe

    Filesize

    3.0MB

    MD5

    1bde9993f3da4a262940658b4e7a78fb

    SHA1

    1b7e69204fad6c3c08ee17e8183207c5e290e72b

    SHA256

    45c8d7956c3dfae944fdc5479526a2f6c960df848c79021f5c91034045380d28

    SHA512

    c2a7146cf1e3f452332bd1d01fc939201f54ca74e3699e245da6a5241c6a9dfeb39e343154dc22f7e26468c8aced356f9b0b521b8f59c1830fd3090440e29de8

  • C:\MintNK\optiaec.exe

    Filesize

    3.0MB

    MD5

    faba7386e9b1bac864d9a670c90992d5

    SHA1

    c6082716d5b068743a7905ead7792fb252d71845

    SHA256

    22b1ec9cb87e4df2c8fd2350643420586c18b10908da6a3448511975f68f79c0

    SHA512

    044d2a5bbf6a8de08f83e7b10fa555ee041726b312a76496457382d91408ed9284d5edd374606a7b8312918cf8e00ce8051fe629bcaa0fcf13d4f6345513cf0d

  • C:\UserDotZI\devoptisys.exe

    Filesize

    3.0MB

    MD5

    06b9d1e6748cdb6533a320f2b814bdc4

    SHA1

    5464b51495799d5bd9b8f51e30080294d4c17ce6

    SHA256

    e52c08515379c7a7e937d9199f149d5f7cc2017a9a618275b7608f522825eda3

    SHA512

    debf06306f672cc220bdfc3d23d12ef0f651bb429e5d14b05660606506988228393b0592f2b6410df0b84523f44c2fed8b86c6db2d0a8819822fd44a34a069b3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    ca09ecc9a51126c8d21344417bbb505b

    SHA1

    20451a0c3bb53f9f74c9df37020c07818718dbca

    SHA256

    2bdd138572ac318878635a33e77ba99f19d40dc434ead873d5bea5afc11f3304

    SHA512

    6889a7d195ae5d89d26f229107e253467ed516674ecc73a6892d6b024542ebf1fdf224ffaebd8ba95b2a20c740c61c08cb4e5913e09bf9d5b8188524d509e39f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    0bac392ee3fce3329ec4f831e0db3a5b

    SHA1

    6fafcfb5be8c7e653c25f2182d11ab4e45c29f2c

    SHA256

    22b989ee0f97fc55f53dc1620640bea6f7d424e498ec4921c8dd891b6366d247

    SHA512

    39da10363060ec8b155761e0ca987ebcb6258f1a64e080d053d98091bfb49fab20afdc6184d26cc86f8741e3b86a127ced4ef09bbc547fbf82b46ce107a20540

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    3.0MB

    MD5

    f1fde10c9029e66fdeb08fde0fa79068

    SHA1

    9e060f52195252db42420315e7b9e1585ec6ab81

    SHA256

    40bba84ce54bfb861bd0c30b207e4af5e49ebf8ea3dbef0f84ec8876c312bad6

    SHA512

    072e55af43152c8a1b62318b460e05a3ad42cb7845552e2691e88c52df94be34e44a7dd7d3893222942d948e72cf0c361045cfc8e925bbc70f6ea576fa8950e7