Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 07:30

General

  • Target

    f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe

  • Size

    2.7MB

  • MD5

    aaa9a656f2defb56d259463c4213a9b5

  • SHA1

    3bc3774fb3866f84983d8a19fc642b3433a80a3d

  • SHA256

    f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127

  • SHA512

    4b0d3cf4b0bd7ef72bc77ec85e7fc9921d7004d2de5c686dddd7e6fcda43d605629ad47bb3ec4af35d7ab4ffea488168b817f3d7e898ebbda0e6a4d2b82734f6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSq:sxX7QnxrloE5dpUpLbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
    "C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1008
    • C:\UserDotYY\aoptiec.exe
      C:\UserDotYY\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint28\dobasys.exe

    Filesize

    665KB

    MD5

    d9be09c22dd60c10a18251e18e510417

    SHA1

    3f3b51be9b29d61674e8a196dfeba59c2ec0f36c

    SHA256

    8cfe96e643ec26a9b5389934a97cf6a3d4d6b7473840c277c5389f568d898475

    SHA512

    aad15da0702407670daeda2fc0d7fa6c43e1e067cdcc4d245726e2726fc5098d32c803698c8b67742e7f8b796ca9f2ed095af80b9aa4ad5f926f1ccdb73cf2e2

  • C:\Mint28\dobasys.exe

    Filesize

    2.7MB

    MD5

    806c8e8ba8eaf25d0612982311ccaab2

    SHA1

    7cf6dbe051986b6f512c07fd9eedb5049d6891f1

    SHA256

    48e5a7c9cc33ca81b29fab6544a51830573bd6c361c43c059458e68be3f6bc00

    SHA512

    d5758d73ddd1a9a997fb650b1e8c193abddb7301f5c6e2cca20bf39c555bb91dfaf00bf1ff6360ba0874d5ddadd0cf5882403853ea5aa7b5a85fd8f021e21d37

  • C:\UserDotYY\aoptiec.exe

    Filesize

    2.7MB

    MD5

    9d08dcc2dc62dad992009d7a8223437a

    SHA1

    a616f37d57e085db4c5b7804131d0357c22f61e3

    SHA256

    62ae2c9d18f12fc326c04b3d50cd2362d6ade5bef86a739308d3791365f008fd

    SHA512

    5d4cfd2f6f5dc7a8bed8b5c7d26e31ae7965c5989d67194f361dbe07b774b3623a6876c9903ca7ac00102469dcf6d90b44302bd7ffceef462da9108bd195a8cc

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    213bd30b98e1d19eee12e00f90f60664

    SHA1

    00bc27ac9bbb627424ecfd1edde0aa3c8e7b500a

    SHA256

    74998167e726c310980238b1ddaf77ff3d9068b5f0b36c2d9b8e28ea181546db

    SHA512

    bbc9200c34b9edad63491c772418c7e9c691cd610e6d4311cfbccefbf6abcc5601c5811413232e6dbfa2dd21006f4700425c2a73b5c75c37043ade091b90d817

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    6998598748fb5a4ea59e36a8c22a6b34

    SHA1

    66fee5287d732af10fab94300ac3f6c32541a677

    SHA256

    f52b5112a6dc303dae553c6a2001e3d2ff8f4d930555252bc3832b88c5874b07

    SHA512

    9382c89b83b696f9189b1f1942593df3206d725e889e059a9c800d434f46e422e1ffbb050876a8ca719ec5b856c9429f83a716c27074074e4b8ad1c046e46cbb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.7MB

    MD5

    b2d9a54e937774801882f27b7820b0bc

    SHA1

    1bc7eb68c68c56399615c0049993b30a27cec5d1

    SHA256

    1c9f96d4e39a4bb3ff2f09dd22a8c242f122c418abef4ad4a46c3279d38c9a01

    SHA512

    c10d2c5572086a4761f5e0759e902f3a2ca647a5a8804d250f666e15655bb6422ee18a5726a60f38913f0e64ea4f9ed14427c36f12e34bb0104fa68536319d24