Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2650c3bfb6...0N.exe

windows7-x64

7

2650c3bfb6...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 02:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2650c3bfb6a3911960976c2bd8b46ed0N.exe

  • Size

    4.0MB

  • MD5

    2650c3bfb6a3911960976c2bd8b46ed0

  • SHA1

    30334f6f66ea9ead0f51124f12329fb543c058bc

  • SHA256

    d354a9694cf18ff7da16c078045436891ef3c5781c8a6dd83f395dfcec169b6f

  • SHA512

    0a08524b4f1d247d138b6bbafb14ac8046934d0b40cca4cbc4ef5ed19d84e16327654c5dfdcaed2448c332d5f14e78d9e221333f537e543bfa8bb8ca9fcb21af

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\AdobeNH\xoptisys.exe
      C:\AdobeNH\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeNH\xoptisys.exe
    Filesize

    4.0MB

    MD5

    b4a35830f001f7430831c0b599a50ef1

    SHA1

    58c5aa78c286fae6d50785e025b47b808f2f74e2

    SHA256

    1b25603644006075d20caa538975da3ae6b4eec6fc597b14d8c80d202af91d12

    SHA512

    9071ff0b23a45274074f6cb8b3b52a0444acd141914ebc03dfd7ae16bb4beb3d8df1da0a742383a39b141e6a53c904e9c183e0a40fdce7fa25f1d8a8376bd1e3

    Download Submit

  • C:\LabZC8\boddevloc.exe
    Filesize

    4.0MB

    MD5

    a515f96f4a6388662d03f84fec3bde88

    SHA1

    b7c62f38e0c9a6dd892228a5c7bf849bf679a8cb

    SHA256

    8392eb88460f8a871536121ef27a16409612945d50c0de93dfb04a8a11c8df96

    SHA512

    1683ebddca896603ccf60c042e6832cde0dde3530f96964dc9e2cfcbe311520478befe6c0d586bf0d5cf82a07690c4f1d2fb088619884e635900d801c35b16f3

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    7fd081989d700a62a6eb2dd1256652e1

    SHA1

    9efd179e8c01c82f71ee1d184326db9389425a96

    SHA256

    113a2fb570d3307d657be2dc3de400aacc974ae7a64e88fbce032bafc6132e36

    SHA512

    4886d2eab8cfe38c42db95bc9c8c8c51ad199068160bd301e47b4abb654013a08125b08318d2be375b076d0314565bc7267ab5733967976f46cb36b2fa96f1fb

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    09f0b27d28e853cfaea347cdfbf63d06

    SHA1

    0e983b11786e6a7b1998e2304dbc5591adbe6f17

    SHA256

    0ca7c58dd74181dcaae89dd017a9cef85e270bc840fe35369327e3a661eb6ed3

    SHA512

    690a4119bb3969fc8c980b92f5964798c146bb99b636855568a6478d3031dc07f3a224265356f44cacecdda9c4774db2a965de0b92552c3f7672404c1f77343d

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
    Filesize

    4.0MB

    MD5

    6ab4e7d1e9d145ce1ea392b74af12063

    SHA1

    9eed1b871a83dcc20a7858a6dc539e7e63cf57e8

    SHA256

    a3ded7eb746bd5fc549ff9ae2c1a4561844240cfe66254bcad48ac858e3289d7

    SHA512

    2bdba00d2fa3b291728a4f09792f16e6aeade43f5e8ed1357055ac8098f7a5d288a49b3e614f9669f36287b52e7c05c9bbfccfdbaadb4a366513237273c2bab8

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.