Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 21:16

General

  • Target

    4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

  • Size

    4.1MB

  • MD5

    88ff053add827f525cb99740b26cc056

  • SHA1

    da9f98795713cb42c7ff68b112de863cd9e3b6f4

  • SHA256

    4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94

  • SHA512

    bff162de8ca248b3ced9c0387ff31fd71a1328d7bae74ab2d1248d8269f224822058e4cfa96898b79848df04306e0661ff1436e5a91af142d291c12c90e50e29

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
    "C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2652
    • C:\AdobeW7\xoptiloc.exe
      C:\AdobeW7\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeW7\xoptiloc.exe

    Filesize

    29KB

    MD5

    c2b58e7bd0d9d36929797d78aa1d3e51

    SHA1

    8fc011635fc3980b8429b2956954a84ef4f62f48

    SHA256

    d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c

    SHA512

    78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0

  • C:\LabZTI\dobxsys.exe

    Filesize

    15KB

    MD5

    62f17a18e2665228331086e6e938bfcc

    SHA1

    8e2aada25ef3eee33045d7c08ce27d04adfb7da4

    SHA256

    1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385

    SHA512

    0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3

  • C:\LabZTI\dobxsys.exe

    Filesize

    4.1MB

    MD5

    0b5e47d160f4f8c442525bc38ad08cb9

    SHA1

    5e3f4e2b766f79e04a3833af4e3eeeecd153ea8d

    SHA256

    434719fe6980220acebba5aef601d7957e0b27fe776495a41e72936b96d564c3

    SHA512

    ccf004324feaaba5d4c84cf96298100275a32113fe0fce7851a1d106af75d3404913f67cea5d95b6cedf15bac11e7b81504e98d2182b46ed28c7753f4edbec4b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    e55b80a88e77e986deaafdf6c98ed3ac

    SHA1

    7c0fe97a70c38ad2c28d0560e215dd230f58bcfd

    SHA256

    210b40035526568956d862ccf7a98eeb84dad6ac307440bb3c0115a5295a091b

    SHA512

    332ec6c6042068ac3b0e526154251fea941bcf13046fa8624b3ac5d19078c4c4a8a7bc73756868403b56c1beb2a875d1f47715c590afc4abd661d0da7d25f7ea

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    e58834da36b77dfbd101410e98f10572

    SHA1

    64468ad2e7b02ca0c30acbed5b1490e0a00d2829

    SHA256

    79b33e1ede8245b0f97dcba01af1a91f89267badc171e3032d9b284b7f7a0eec

    SHA512

    529f6dd864a9d5b2bd5bfd2403e41b2165ceaf97dadb32ea8b93b05824d34a69715f7878ad60b7eb5088452548af67672ffb541cb8373ae43b133aef7373fc2d

  • \AdobeW7\xoptiloc.exe

    Filesize

    4.1MB

    MD5

    0f9398f6279e19a0db1b90a470abc98e

    SHA1

    ac2709c85992c339e43bde9f4dec6f0315e8d8d3

    SHA256

    7efc0ec6f369ebdcb46be998e0207d3475e539298c07dd50b42928790c188908

    SHA512

    6d8fad7f8c94adf8d92ca47b0be0c3547204894c25e43739fcb8551feaddf1cfd5e0d95774299579568e0bb67e1f641ecb5413b8ed91ae884b6bebe99d98dec4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    4.1MB

    MD5

    408df2326490f484b2c8e7fad73dcbc4

    SHA1

    4821dbf490a019006efede9c1f5277ff7c863ba1

    SHA256

    84c982b2f3c5e69771ce5bdfdbf99a89cf4c5e664525adba737dba99d4d15c92

    SHA512

    aa6c38b8e7899b3e6dbf62f95ec4467553b9c467a0e4840ff97f6feca0f8dd462c7c5b5d598d89578660a9fe672142aacb4d60e651a402eb3e4ca54752e7b500