Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 02:55

General

  • Target

    ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

  • Size

    3.6MB

  • MD5

    854495e9b6b427e26813d567c4b1ea53

  • SHA1

    7afaf89691e942a739253144c87629ec8fe58ad2

  • SHA256

    ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3

  • SHA512

    1503ea391240b6d369e95f3475e49fdd0c0580b0ca135540a8a82cd64b7c8d20ea6aeaa30234f0d260aa7852b671a83ee57f21bd5cd21e3f39c8c33012f73bd0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpObVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
    "C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2828
    • C:\FilesWX\abodec.exe
      C:\FilesWX\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesWX\abodec.exe

    Filesize

    31KB

    MD5

    6767e44b8f8de6e616ff4b3523b078e9

    SHA1

    c871cc62c3911e5350a063da1333dbe1aede5281

    SHA256

    fb9f9c9a72e0e98d461054f92faed7837baed42691d98807657f573b5375a6cf

    SHA512

    5660382a8368b7e9ffc099dc84a891904199c2feaa7bc7a16b39b7231f5102c04d6703a2b85492b3db7f9c101333e9b3270fe6657fd524d50c26b9d07958c2bc

  • C:\MintG0\optidevsys.exe

    Filesize

    29KB

    MD5

    8dc4d9694c17621720c320e82829dbd9

    SHA1

    a9ac9ea870162fc6dc14d43c98824d48c29ec74c

    SHA256

    73310f0dab90499fcda3b7fc967815f59418fd9a16eb2c5fdae380da74753d78

    SHA512

    bc76ddbcf70495f591f732f5a318f0de053184a7f9a94a2200be2db198ca084994c595437e721fa7d00df285a550501c22df2af8f77fd72840210ccca0fc8b3b

  • C:\MintG0\optidevsys.exe

    Filesize

    3.6MB

    MD5

    2e4303568b44a3c2d4c59f88df6f402f

    SHA1

    4e9508aebebca26c1a8fbfe207f0560deccd1c8d

    SHA256

    32a84729b5bc818f0a878b8ff349533112e116ef6c9ab6fa9e88595457c06314

    SHA512

    61cd1ea5f3a351a4dd6b533a1b37a985609302ada368f757ceff64db40710907a82c8239a0961d870d0d86ad0f52b659bc0b221539a7f36bd3c4bf57c7d60078

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    4423d8985a060cd9bd3b1d4b5766f39d

    SHA1

    4dc16421e1e317cd5b92937047086242ee7cea61

    SHA256

    566c0e565781e13cd044bdfe5e0763f37ede9dad54c155ff3e7920628b10f207

    SHA512

    bdd26d1dba96ed9a46d474b86bea59952d7fe2aa5cd1802c98316ec619dffeb6a0c5455daa06480da0ff06eb310b93f00db54a89797d07786bedd034faed9e05

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    28d1a6f7c1c1f2c063999b16ce2d3f3f

    SHA1

    36be69732768971ca93e898011dc669bdec099b4

    SHA256

    492227cd47d25a382c7faac41d1831a237232f73b10c1605e337ba5f9ded068c

    SHA512

    395b4ce53cf9467543271a9f4152c0db91df356810083c0d070b383a9116058f5f02e5b2c4d643310ae0181add644d80739d9a4fe85f6b145b970bf60083fe93

  • \FilesWX\abodec.exe

    Filesize

    3.6MB

    MD5

    7eb01e86cabe8c4fad0c9b7837f4c9c7

    SHA1

    8814b6255bbe230da9e55471440f8f9600bb7fc7

    SHA256

    69b136d91827aa752c52eff529cfde4816c543da9a4498d8f9f16195b9e7f140

    SHA512

    f048965206824d625ba7b46e0621e353b98348f0a114952116e0a31ba1a8b8b8549aa03a5e56ff5219707213c23a834151c7de94cc1d5a44b6152b2ff47eea26

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    3.6MB

    MD5

    84c61c721240e6b04f5e0e72e1779594

    SHA1

    3c36bfae56ad0b31b042c4bd7faa084e62fb8136

    SHA256

    fe2234f248ff659e9bcf7f8057248f95576deaf458b1b20328cd02b6d0bc34b6

    SHA512

    84d70e683f90fb27de4250f2f9a44b7b62423a0c1009763153625787d2ae720baca3f54c60e5365b4470144df045ec747381becf58bc3a9dbfea74c604b83765