Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2024, 00:37

General

  • Target

    a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

  • Size

    3.6MB

  • MD5

    2ca12f725a468868769d47d28290f996

  • SHA1

    f1eee4694d69a8dcd83a02da7f1bc192e5fa1a31

  • SHA256

    a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c

  • SHA512

    24f6966419e1121c0ff62dece6af0700d126d8634a1084872cf2cda5890bdd3cc0d6f8f47129901218e3b2ba64eb9dba7644c5488e769ca410d9f6ed5a2a1362

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpEbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
    "C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4692
    • C:\SysDrvY8\devoptiec.exe
      C:\SysDrvY8\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintGL\optiasys.exe

    Filesize

    3.6MB

    MD5

    b27e7551a0ddd80cee9525583ac48c75

    SHA1

    fe134ac71db1a25fb488fe2accc192e16f3e580d

    SHA256

    e626c13f43e2d7fc55f023b0b62502092f99568aac8f2313038c3bb31747c0fa

    SHA512

    b1cf6509295c9e6a908bd9139ee03de8d22b8154f1f592f5e530f9043369876cd550d23e8bd9b81bcb91347981af87a613c196daf3f3247c2038a0016e1d3d22

  • C:\MintGL\optiasys.exe

    Filesize

    3.6MB

    MD5

    c858d346f37094a50af708874aaebae1

    SHA1

    9fb72a8fd3631463a64bf3e17054545495462c50

    SHA256

    04529788bdd37dd26042382b92533b4f212eec096ede92c8d031e56bb06bf806

    SHA512

    9463cd11ea4cadff22188a2f34006113e024b4c7935778d29ff895721e8caa98285f8255f2eaebb8ae971f9430b42a0ee57e1fe23b84f282e5098a1ee3c152c3

  • C:\SysDrvY8\devoptiec.exe

    Filesize

    3.6MB

    MD5

    48eb2c8e431637acdb35a056e4b0165d

    SHA1

    2610e627e7ee1188509d3f27f37d93d79c9865f1

    SHA256

    37de3da79db5608e8261ecf6cb77e1b8a25740fcf28a3b4dd71b562615c08b46

    SHA512

    052a49738c7982c315f23ec90c59eeb1058e180eb9a34404af9ce43d070dc56f576eda82086add1163d1a7c9f4b40a943c2c50467e9df5578e079b39449b3d68

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    4fc31d1fc98acc95d7e91eb4b713062c

    SHA1

    50b3adc487c550deb34b95898a22c6e4ca262251

    SHA256

    bf6a8642ae0e0189dfa44684f333c187b88cdfa7cbf0102c2b64428c38148fcd

    SHA512

    0f270a2b2898f928c8b73c284cf9447d76054fef3f193eed29c4f60ac2a2d57c5ff98fc83b3fcd66b28b9b5f845c9038a34f31b0edfdb445e630d59b4396e0a5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    b1487b3cb2b821ebd6eb8293872e5b0a

    SHA1

    f94191bd94413342757040c732cf60278b3e30b7

    SHA256

    77b2e3e80a7f3efaab26aa98a9443145e27409580252a5d2c239c3d93167dc10

    SHA512

    d8865935dee38b913aa7d6eed22cf31afbf115b0d1684ad25fd88fb0101e2f34a034a9e3818bc77fd5d1988c0700a9c5ce09557ab0382d033654105d4c8f2445

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.6MB

    MD5

    4296fcb99f03a7322368a3b1753aa9e9

    SHA1

    93fdec724d2a57a3ed38a1cea76bc11349a8e5ae

    SHA256

    aeb348ad2c066b59e9606cb711a5856226043eead36126a7bd86a1a0e8a1cf92

    SHA512

    a376fefee9551cabdd321e14bc0e3c10198be5173c6e1d329aa22ddd54fa1c24b3813afa27da0bd6b6ecee04d673a5e8b65a1e7c2882d7dda888d150aea04fc6