Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Resource
win10v2004-20240611-en
General
-
Target
4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
-
Size
3.2MB
-
MD5
2ae47c0254e12328439773266291591f
-
SHA1
875bcb35f471b563d29c20c158382976db45c612
-
SHA256
4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f
-
SHA512
1c10705fec833da091e29127da74eae64c32fd5db4e69506d106945e52f06799b6e9aeccfe2de8fc9d799a0d81ed83cd36997f82722da227d44137bd591f98ba
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 locaopti.exe 2612 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRU\\aoptiloc.exe" 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCF\\boddevsys.exe" 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe 2792 locaopti.exe 2612 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2792 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 28 PID 2980 wrote to memory of 2792 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 28 PID 2980 wrote to memory of 2792 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 28 PID 2980 wrote to memory of 2792 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 28 PID 2980 wrote to memory of 2612 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 29 PID 2980 wrote to memory of 2612 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 29 PID 2980 wrote to memory of 2612 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 29 PID 2980 wrote to memory of 2612 2980 4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe"C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\FilesRU\aoptiloc.exeC:\FilesRU\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD567b95e73a4d736fc7a6a49180814ade9
SHA11b87771d386e80461685b1ad4c6f18c44770762a
SHA256df18342a074bb7238ebec31f6d427187349f6eb3ea2c68f8589985de57cf02d4
SHA512e982bff86f4ed7985b0d20e05cc72f1ebea39e7231c8aed5272c4a5a04ad1ec9be2bb36adc3aa62b4ac49e14d2845f5f8763195182830adebcb6eb7d2dff66da
-
Filesize
171B
MD58439936fbf847c372350f08749042a3a
SHA131ac799ab24507ae144f2a0f25a2e557d7d5997d
SHA256d1ed21179ee50a12162d5ce6bb5e7b7c1b6d35e1d2914b64ce36c493cd45e06c
SHA512029e98c577ae00409dd1fe650d1d4d27463fe96231f227231d101280d5f67d08d6dbb2e2891af34ca3f26ad4a048f629d1083296c9f1b42c10a31e60c542e589
-
Filesize
203B
MD5fe4f955dad115cd5640aa92ca44aab40
SHA112970dd8c073cd333be276349fc7844343f17e16
SHA256b06cab0de0763f7ff0a0acaac643450a9c8f9763ca7c74ce4f4ffcd210e1d6f2
SHA5125725bb8336d09cac49ef5cd52b9f6e2eb50a08ba27902af241601d6ed6ed3edf6bae997d15e45f882c0c0a77b9447e120cfc44d01c1911620da1136b79b5b0b6
-
Filesize
3.2MB
MD5086b44764e499426bb6de2408fd696f3
SHA1b6fd6a9cc2731943fff6a1a8f2f226e2850d1abf
SHA256b740af859e422be8130a83b9173aabbd574ca372405abdc8d55397f551b78bc3
SHA5128301e8a802487ec2d3d0e56dcbc76c02e3702498d1b340153b98e20c832b35366d43a23fb66140cc4bce2c4ee6b1f9a440c666200b6fc0c215b0709d9fa7fca4
-
Filesize
3.2MB
MD50a52995860c24418f552d13131a5ee02
SHA1b39929b797840c1faaf5fbcfe08116345550f158
SHA2562d473026f784766a5a53ea9bc265930962235b7303672e106909a00727f42133
SHA512a8b8927e6a3e5a836148207f631c276d6141169603fae30687a7b6484ac8d4e0363fde43c0eaddfff5d363b3856c0811a6af89f48e326477d8129a9a279baaa7