Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Resource
win10v2004-20240426-en
General
-
Target
8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
-
Size
3.6MB
-
MD5
1b465683b99a9a059afa5892b0e58220
-
SHA1
6df1d43c168027e0a22feca76427aa49028f8a9e
-
SHA256
8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24
-
SHA512
a1f197898b45681e2729f13d3a936e771765c14a5e1cfc7c5817136d9be0fc6eeeea3270526bde74523e838303c83cfed1751bcfdd770859343671901f6899f6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpmbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe -
Executes dropped EXE 2 IoCs
pid Process 2108 ecadob.exe 3052 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJX\\devoptiec.exe" 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB80\\optiaec.exe" 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe 2108 ecadob.exe 3052 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 848 wrote to memory of 2108 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 28 PID 848 wrote to memory of 2108 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 28 PID 848 wrote to memory of 2108 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 28 PID 848 wrote to memory of 2108 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 28 PID 848 wrote to memory of 3052 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 29 PID 848 wrote to memory of 3052 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 29 PID 848 wrote to memory of 3052 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 29 PID 848 wrote to memory of 3052 848 8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe"C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
C:\IntelprocJX\devoptiec.exeC:\IntelprocJX\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD511408d98d5bc350e10c930a712dca487
SHA124ccc86ce4e8947f9af6836633c8cbc4074b9169
SHA256dee2c107162aeb3c31e8dfaa091c2df7cd040e8a8ae69217cfe3a8c85fd7d2f6
SHA512c370b463989bbb7060d616ca22993e0ee3bc559951a5bfb2e53351a65902b6bdeb8f05278af1c41daf71580f581d00bfaf270ffb45e71c6f4efbdda3fcf0f44d
-
Filesize
488KB
MD5ed1e6880379202a5aa23e4a15fd15220
SHA141117608cf300a587d662d3f1e26a87851ba85e7
SHA256ea4f67aafb949faf59b90e5cf0da952d3f139c355d8c7e0cf34eeab56ebabbe0
SHA512ef47e4fcfe0f6d4e6d8d538e88019c389d227c1d44aae3b117993cc4a86e6c792fffc7d26ce335c9a070ea9a1d07541f7033b7b57c109caeb938f57cb9a140f1
-
Filesize
3.6MB
MD5b482204117f1b6bf8fb4380a63dfa80d
SHA152067176fddca321ca0f7a6dbc3815a0ce34b850
SHA256932778a9bcec0c5c6093149b13e45a3494a73c32efe48bf8a26d7132e7e2da60
SHA512bd782c61880ce08dc16cd15acc11fffa0747fe6d2ced64154e62eddf5b84d6a7271d2a957f4614e1db86018b0445edd4524def2afe5623b361904d2222863699
-
Filesize
173B
MD5c41832f656fb01aa27efb8027a38e684
SHA1662a006683f310b197c67ee9a6824a3295670ea2
SHA256c80c3fcd2c33f525372ff960eeec2fa015f74ab53dd109023dbacd607aedb499
SHA5124114a95ba04d87daeff232ddc0ac5b8e7b57ab9d639ec4e78dc853895dcd9e8b6ffeb3df82723e6e0d5421671b970e1567f89c310a262b9c17eb4178fd0b5f55
-
Filesize
205B
MD5e32bd40d74bb4d4cc4efe407144a6fef
SHA1abef85edd1388d3181f57cba83dc240c5476b9e7
SHA25645ecc408e93895f62906434cee3929b0939bfc9b1e496fca35e2e52e5478a58f
SHA512bc2ccf0c54ccaaf0434d7de673769eb44b6420cf87eac8766804ca479e18589c56aab96c64d627a5cd6d719d6f6e7db508848486f618b77a6cb66054833e0a3f
-
Filesize
3.6MB
MD5cd4f8b1fd8b23bf721b99defa775ae27
SHA1250f831648a6d5ca97071ab3bc7ab938b544e7d4
SHA2565a4974d093ef16edbd0563fb95079e3298ffcd176405dc4fd1f869001e60b93a
SHA512e18d37527aaf334a922eb2ae29f1662ac32053ca1220d69f8a5a36989f93dd06bdce22b40c43e1a455a3a0abdf3c214a2eeee70bb1569c3e409f28a37b1c0bb3
-
Filesize
3.6MB
MD5355092df435a2979844b5bfd470fc9b4
SHA159300262a734c8f6746ba6765afc7b5b02f23510
SHA256ecc99dc8ffad2e76ebe42457e681ea1c24ba3695e6d6fade1c11b0e14ef0f530
SHA512052a7d53113a586e9825c9349b9c6c78662eea25c3c42497f6f3f0f9ecbe6e194c1fc2d9aa151ad0f78fc9e102dc3a1ada26520c1c369e50b0eb1f7d2f843ea8