Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 01:40

General

  • Target

    8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

  • Size

    2.6MB

  • MD5

    f09dd24e2f5d1fc42f0c9eaaa9cfd8a5

  • SHA1

    694a7b78fbed801f38f93eea5f4b2bfee5dd1ea7

  • SHA256

    8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429

  • SHA512

    176ddc582535da6c1e968db64d0fea42d643af952862dbe4cd97106bc6eee7d93065ac0bef9e86d69b35f77579e133304a56e813a8edcb675b5c47a9652248a7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
    "C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2308
    • C:\FilesGY\xbodec.exe
      C:\FilesGY\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesGY\xbodec.exe

    Filesize

    2.6MB

    MD5

    1155bedeccbda90d57992b75ca5c9269

    SHA1

    3a21ed9d9d0de982b8d2c4b2302cc271ee5e203b

    SHA256

    453c7d2fb92d02819bf6c0882fd576ccb0958ef9cf977b0cdfb3f8851984d811

    SHA512

    83ecd0b014713f36f24eda7977decbc9c02f17931f7e339faa3e3b01f8f888af2aa67c16f90637fb129e292b4174bd80de225ccbb93ea1c0b54df5583b772611

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    165B

    MD5

    07deb13c0a0acd55f3caa05530a33123

    SHA1

    60c8d9066e34188751c5a5581c3255f5ab884c32

    SHA256

    745deb011e40423fcfbf0db93551eec285f5875ca1ccb63d17df80640864731a

    SHA512

    abda613bfc78f8256e721bbd724a3ad46f8abed42999f3dbd0895dab4065b1fc899c8779cff195e97e1a31869795e2d566434885f5464fd9743bd8b3dd698716

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    197B

    MD5

    685fcad5610fa6a140784840a55753d7

    SHA1

    dd3cc30964b78f708a214a59da86022ca6da006c

    SHA256

    c86800ba8c8946b6e159c8f325e9cf55165e1973904cb69f9d4507a341bdb61f

    SHA512

    64ca9a70ab4e62a2afda7c384f424ec9aa491def9edf23396c16854bddba3dcba966287fb8df2726b8a9284d054e469b7910bb13b8dc39668c27a01fcfb3c811

  • C:\Vid1A\dobxec.exe

    Filesize

    215KB

    MD5

    c1759a9daa5d63a03c18f1ed84966856

    SHA1

    d95853d11ab5a6fd53448f4717feb9db14b4ee75

    SHA256

    f2e1526fd2ba30718abc9d9027363e5ce8f441527dceed1de93a79da6110ee89

    SHA512

    2a5212001a5b9ce653e03cafae15244a6067682741b4a9971ffae1d8c0269fb87d2280c959706fd44cedc26aa4cfe99e34f63816854a9ac46996dd214e79ccaf

  • C:\Vid1A\dobxec.exe

    Filesize

    2.6MB

    MD5

    25a2d7856de69c420eb57ff08ca6fdac

    SHA1

    e7e4c7e0df003b59b7d893c13804249c4333a107

    SHA256

    465801872723c54efa4a817fc90a00acb4900cd96da2a4657b7cb24c089b8e4e

    SHA512

    911db5b7d7c68ae2a909a538c5111b1d5f7d0d88719fc36cee314eb65f335ab9798ee4b58f74c931d4d648168f1c5129193f6c0e6ded53aebf87c7c40d5ca5a1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    7164a2c330ad390004dce94d200eb70c

    SHA1

    d940421dd5fc4d85428c9a7b988477b513a99c9e

    SHA256

    51115e3f864f0e6d46661ce4f9d4cbacebe547b25e6016893d7dd487e1d1b166

    SHA512

    0403f82e93d2b3a292b5083400d8d026339fc320078e517642c36b95279f0bc96c4f2d6448dec45bf46d8521534213cedebe82f568acea70793ee31a8a438ce9