Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 20:22

General

  • Target

    049a1da796b9c1144ec44bfa9a5cc200N.exe

  • Size

    2.7MB

  • MD5

    049a1da796b9c1144ec44bfa9a5cc200

  • SHA1

    1f0152b3ad829d7318a9a6884eeb0d60ecbd16c2

  • SHA256

    69ad4341c4497360116400bd5b38866323be3396bf57737fe067c8e93942fa8e

  • SHA512

    6674da5d8f139d6588ac25d1de9c53c901dbdd1ed1e66924c81555d89261f9eb2c32ba4ad171c8621143d2660b140fd7107eeb6342a4c9ba8b2407a2e79b4ee2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpIbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe
    "C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4644
    • C:\SysDrvBY\devoptiec.exe
      C:\SysDrvBY\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintIS\optixloc.exe

    Filesize

    22KB

    MD5

    e4c3b64fcedd8e2be082125e0287c8c2

    SHA1

    e6b71826979f9d40981780fe8419f7c9b79bf83c

    SHA256

    ba35a7794c7b3437fa887553308604c897996dc320d4789f8ba4838d1db5da7c

    SHA512

    0e8954077f47610919e36491a6c0d672d0a7c041f7ae8269b389612195dfe659cdabcafdbea40afc4e1d1dbfce766724ee826f776efc650dafa0f52ae350288a

  • C:\MintIS\optixloc.exe

    Filesize

    2.7MB

    MD5

    cc209054964444bee419f13f0ea72ca2

    SHA1

    18a7d30b4bf7677d5c5d323a3969f05cc1e4c845

    SHA256

    c72346cc460fb37fbfe7042e42652399ffc5a0f5e44bbe2126cf7cc2a070bce1

    SHA512

    ffb64121f63db69d6696d2fd9544f8a190b26a867f038382e5a4a9865ec0b3424d4750669b8d5d1f9071f0dd742a4fda28c0ee0c5d5de172e1f125dbb750add4

  • C:\SysDrvBY\devoptiec.exe

    Filesize

    6KB

    MD5

    0860ba7ab87e6dbf893e728aa4621778

    SHA1

    6296ec6dd59bc3b8a68b647437f788d3632c62db

    SHA256

    dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

    SHA512

    6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

  • C:\SysDrvBY\devoptiec.exe

    Filesize

    2.7MB

    MD5

    5956ff92f09b4f91c2a45393cf889a58

    SHA1

    df68139238792bc06b2625795930f362dfb89f0b

    SHA256

    fed0f9bfd52bd142673a63e13d4e90f1264fcae4bb02c21af1ee6bea109847cf

    SHA512

    372d4e1767c60828756ed71be8321953d81eba1df3f7094d959385cc5d5941f1202f334246b017ef3f94ba5af9c85f84a62765ee176d00078fd0072e18feb378

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    a29ebf75d02aeb6b8c5ae3fcd4bc1260

    SHA1

    a5fc5b6bc5f0ee19ab8f8bc61dcf7af6c241c301

    SHA256

    26845287c113a40d0ef12e012a57838a7477f5f435164426073071d405065f2e

    SHA512

    e7fd73204f1860742294d4a01f8d2cb8ac68f90039fcfe56dc04f3493a660c5d31b85e20849b769ab13dedcd266e46cf916cd87acb9c826af6f8f73140c3046a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    754099f25313669e3d1f074f32ebb2ac

    SHA1

    e455342153ab6d03b4084c5c387ccc9acaaad2a7

    SHA256

    828380bade6864a3a010ca270de0858ce99f09536ffe7f8a129c77299a395fce

    SHA512

    a0a6a9e4043e970d9292bf5d8eb0184f924c0e7581a6e3d8886e27f7320d651f3a146ea562fe6f6e76762782692cfdc9c87caadaf7029bff9b2382d31bc971f9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    2.7MB

    MD5

    107c2a6ace15afdc0987517300c03ac5

    SHA1

    6ccd4be147cc94377a112341d6ae099a8c615238

    SHA256

    d814379293543d1ac83f99fd670bd52f5d902d443f33d1d7cbe39fae9b0de0cc

    SHA512

    3f21f62b378173de0c2a8dc144d82fbf42071d9b8f9cf74d2c4c6ad04186543e2844f8edbaaa1756d28028ad9fdfa22f230b5fb9a7239f507d5fd14da61a6109