Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 00:38

General

  • Target

    8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

  • Size

    3.6MB

  • MD5

    1b465683b99a9a059afa5892b0e58220

  • SHA1

    6df1d43c168027e0a22feca76427aa49028f8a9e

  • SHA256

    8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24

  • SHA512

    a1f197898b45681e2729f13d3a936e771765c14a5e1cfc7c5817136d9be0fc6eeeea3270526bde74523e838303c83cfed1751bcfdd770859343671901f6899f6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
    "C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2108
    • C:\IntelprocJX\devoptiec.exe
      C:\IntelprocJX\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocJX\devoptiec.exe

    Filesize

    3.0MB

    MD5

    11408d98d5bc350e10c930a712dca487

    SHA1

    24ccc86ce4e8947f9af6836633c8cbc4074b9169

    SHA256

    dee2c107162aeb3c31e8dfaa091c2df7cd040e8a8ae69217cfe3a8c85fd7d2f6

    SHA512

    c370b463989bbb7060d616ca22993e0ee3bc559951a5bfb2e53351a65902b6bdeb8f05278af1c41daf71580f581d00bfaf270ffb45e71c6f4efbdda3fcf0f44d

  • C:\KaVB80\optiaec.exe

    Filesize

    488KB

    MD5

    ed1e6880379202a5aa23e4a15fd15220

    SHA1

    41117608cf300a587d662d3f1e26a87851ba85e7

    SHA256

    ea4f67aafb949faf59b90e5cf0da952d3f139c355d8c7e0cf34eeab56ebabbe0

    SHA512

    ef47e4fcfe0f6d4e6d8d538e88019c389d227c1d44aae3b117993cc4a86e6c792fffc7d26ce335c9a070ea9a1d07541f7033b7b57c109caeb938f57cb9a140f1

  • C:\KaVB80\optiaec.exe

    Filesize

    3.6MB

    MD5

    b482204117f1b6bf8fb4380a63dfa80d

    SHA1

    52067176fddca321ca0f7a6dbc3815a0ce34b850

    SHA256

    932778a9bcec0c5c6093149b13e45a3494a73c32efe48bf8a26d7132e7e2da60

    SHA512

    bd782c61880ce08dc16cd15acc11fffa0747fe6d2ced64154e62eddf5b84d6a7271d2a957f4614e1db86018b0445edd4524def2afe5623b361904d2222863699

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    c41832f656fb01aa27efb8027a38e684

    SHA1

    662a006683f310b197c67ee9a6824a3295670ea2

    SHA256

    c80c3fcd2c33f525372ff960eeec2fa015f74ab53dd109023dbacd607aedb499

    SHA512

    4114a95ba04d87daeff232ddc0ac5b8e7b57ab9d639ec4e78dc853895dcd9e8b6ffeb3df82723e6e0d5421671b970e1567f89c310a262b9c17eb4178fd0b5f55

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    e32bd40d74bb4d4cc4efe407144a6fef

    SHA1

    abef85edd1388d3181f57cba83dc240c5476b9e7

    SHA256

    45ecc408e93895f62906434cee3929b0939bfc9b1e496fca35e2e52e5478a58f

    SHA512

    bc2ccf0c54ccaaf0434d7de673769eb44b6420cf87eac8766804ca479e18589c56aab96c64d627a5cd6d719d6f6e7db508848486f618b77a6cb66054833e0a3f

  • \IntelprocJX\devoptiec.exe

    Filesize

    3.6MB

    MD5

    cd4f8b1fd8b23bf721b99defa775ae27

    SHA1

    250f831648a6d5ca97071ab3bc7ab938b544e7d4

    SHA256

    5a4974d093ef16edbd0563fb95079e3298ffcd176405dc4fd1f869001e60b93a

    SHA512

    e18d37527aaf334a922eb2ae29f1662ac32053ca1220d69f8a5a36989f93dd06bdce22b40c43e1a455a3a0abdf3c214a2eeee70bb1569c3e409f28a37b1c0bb3

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    3.6MB

    MD5

    355092df435a2979844b5bfd470fc9b4

    SHA1

    59300262a734c8f6746ba6765afc7b5b02f23510

    SHA256

    ecc99dc8ffad2e76ebe42457e681ea1c24ba3695e6d6fade1c11b0e14ef0f530

    SHA512

    052a7d53113a586e9825c9349b9c6c78662eea25c3c42497f6f3f0f9ecbe6e194c1fc2d9aa151ad0f78fc9e102dc3a1ada26520c1c369e50b0eb1f7d2f843ea8