Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 03:17

General

  • Target

    2c0c6b8b0902b4807ca9536a398f3180N.exe

  • Size

    3.1MB

  • MD5

    2c0c6b8b0902b4807ca9536a398f3180

  • SHA1

    1b921069bbef9eac41a0fd00454a53cb9169f7db

  • SHA256

    b2fa466180454c368867e2ab775f93091bfd845aaaab92c9e5af3ba6d942ec3f

  • SHA512

    ad1a39a7e58c2a2e3eac43166661cc245f46904accc0f05cc7cb19beaec2d0af720d77aaa54b6a476edf33fd0df36bdb100bb0c40fd03fd35c6484e3ef941dc9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpSbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c0c6b8b0902b4807ca9536a398f3180N.exe
    "C:\Users\Admin\AppData\Local\Temp\2c0c6b8b0902b4807ca9536a398f3180N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2736
    • C:\FilesLW\aoptiloc.exe
      C:\FilesLW\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesLW\aoptiloc.exe

    Filesize

    3.1MB

    MD5

    d6d3f1f8381e84ec72461abb1736f243

    SHA1

    3bfd2b1c7e947b90435ce5725fb2b13c58f51f5d

    SHA256

    678e3f4784be1b720f9126b49c061f126134a6032ecaba8bdd339e597b7d21df

    SHA512

    47f51f9185be8950e68908b66152fbfdbd0e5bc48e386d03180136650fd9f633f02dc6687617948e418915a72e253d9aea77d35a31566209bbfa92cb6b9c082d

  • C:\GalaxIF\dobdevec.exe

    Filesize

    3.1MB

    MD5

    3fc7f6cacc39b332d30cff1aa11a1d41

    SHA1

    eabec846da542b3752319185ea5421e808687bb8

    SHA256

    7977cbd5fe57a7d995f0ba894b5d2ec2d0e100d9cbd811635aab3a344b4e5c61

    SHA512

    707f05b0e25fc0062c3330c6eaab9e4f79255aa83db3d442ae9ad9bb2b1e30d87cbf4a1a221c1de9847d7c922bb83b86de0a3dc8c73ed288a3146edf23c34f2b

  • C:\GalaxIF\dobdevec.exe

    Filesize

    3.1MB

    MD5

    b8a724e8c4d880e48ef822f445676646

    SHA1

    65223c0dee531704016b07e7975afb1a8fcef01b

    SHA256

    4e5dfbed8538216d38dd21e367e3a0e1b38949ac22e8586c3e71d30c0c5d151e

    SHA512

    9f934dd9001d6c92bf807a71815f5d71df8f0068a82ad619286984637b1f5e3908163daa4d4c9b6add588c7eb8a9fb9378bc2a481f5e56bdbc34bbc276c1f9af

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    cfc34cb741cd0e00fc8a74fca47719b2

    SHA1

    5add4faa3d82eb0843d3f538159d7c890c42b159

    SHA256

    f88fdd93a3b20e841499df9ead3bd918f2dfe2ee9755d5e6d7f8ba5e733db3da

    SHA512

    d5356267d5ba525cd5172081274d942682110798d2d31ac3ea59da74323b1471f139cb84ec524c281102375edc7c741d378b238806d53b20e90c190166c86f20

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    8667cd5a2e7f19eb72cb32dc905bb5c5

    SHA1

    b6b11fc2e4047e8a3e012f412a35631e529938d3

    SHA256

    d04d44316216e5ece6f2de7b0bf8d2f0eafa067031697c11688aa0a09b1c4a29

    SHA512

    3e4892e75d6799777afb8ba2ecc939d3adebe0a843d8708d2ae1abc3f28912211c6c1a00b0cfd50c47810f9fcba663ccdb9906f80904da3b3939f6c8b4e88af5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    3.1MB

    MD5

    ccfe5e4fd0fc56c8f3f17c394892eb83

    SHA1

    bec6d4884596deb68ff808dd18cd177a2626dde0

    SHA256

    33af10c6e611f34fdd836e8a31df0e2e508531b9c4cc53c13f013bb1e34e9826

    SHA512

    9c629712b1e0812e6517372b45e9dc1e80220e66eb44b3843679baca6a5d9105854e973c3b4d86f383bbe17e14ed37630194c833b27a604484c590f934f00ecc