Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 19:56

General

  • Target

    1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

  • Size

    3.1MB

  • MD5

    0bd66a4871db12318da46f98b6124747

  • SHA1

    a10871344d62ed3daad4cd38b6b2d82400bb8887

  • SHA256

    1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c

  • SHA512

    0fd97884ae4ab6c794ea0dd127eb53f0ed64ece1a2b861e088f047b34798b517c3f68029b13a628bbc98b8d5eda8ef43e65eae028f5e7421c7474af48f35aecf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpnbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
    "C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2336
    • C:\SysDrvJD\xoptiec.exe
      C:\SysDrvJD\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintLY\dobxsys.exe

    Filesize

    3.1MB

    MD5

    88461f2327f6bfe7ff51186b7831ffb2

    SHA1

    e3af1a06ba8c7c8b12d63a6266e77811cd946ce5

    SHA256

    1c9aac096348b87c2398104494e285e837a92783b93ec3f2ba23ad0daf88adc9

    SHA512

    e6c0aeb8b5122132c03631019a15071885186d6abe921fcf470403e5a6a5c85026d2625a165a18dff461a5e563730f14b434d5ea8442abab2fecb11bbed161c0

  • C:\MintLY\dobxsys.exe

    Filesize

    3.1MB

    MD5

    1fb659aae930290261d484ee214e6059

    SHA1

    85d6f4643e0d427b0a76ddb75d362d3cb1da06f0

    SHA256

    cad661142d56e3271a7235762153dd3e64888404e75086952ffd4512859ce12c

    SHA512

    147f537f5e06b294d868762240efbe7efb13dc031d2c0da7bf775386be29e5bcd8b09bca5c27a9a4c813661d8d412dc6f347fe2544dfa252f393ffba23a856e2

  • C:\SysDrvJD\xoptiec.exe

    Filesize

    3.1MB

    MD5

    3410e07f0afad99558bf233d01bb0f1f

    SHA1

    f3c2cd50e5794c0eb6b6ffe97bdded2fe653b9ca

    SHA256

    7c5cd29b7af80b26576828db6ec29553b1b13601774bb223021dc76bb5d29fb8

    SHA512

    67333b455ac9965e680349d06d96f7bb1ddde7ce897e108eaeebe746c751e06c09777bda89a055a18a9990ef8a46a5ef40652e2468018aca834046f371923e26

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    df0eb024129868b062e2b3e7571cb3ea

    SHA1

    49d44baafecefa5f6306954c9cd5264915234ff2

    SHA256

    9990024f0e5921c3d670daab352ecab61f423a7ec068e0cc20025cb6773ebd3e

    SHA512

    28588b47301ae6506356c6cb42e8397553b48fc508a7284fd917475ed87e87bc272cc2376c9519d9e654c62552c456ec6963163b95b9483e6b2429f93e97c6e5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    b60d9999b94020a8b65a8fe378869981

    SHA1

    d3e92a8c648a4058dd993980fb48ce278f37e11d

    SHA256

    7df1e1b9c5fa860efffb098712e3c28708288ad01440c936d5583d007a8683d7

    SHA512

    a5ae1d44c8a40f19b14a60149657a9fb3d180a436fcdd7b5c7f66457173b20ef7a6a803fb0c56b6c9bd98667300b147199270df1bf1cc21bdee2fa871f5e4d22

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    3.1MB

    MD5

    1826518e6c9383da888411411f656b6d

    SHA1

    3585d78c736e6282be7990d4de7d0db47d48172a

    SHA256

    60cfb50dd63c29a930bd405b63991e51e890b7ab0e608c43bd94de78bd1f993a

    SHA512

    7026ab8ffce5fba9920ff20ea3baff6ef1694dc6f090dc52e7deab8f378f44d7d2afa8bdfe9b14053005fe742de3e786514b749e944197212ac936bab2d20864