Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7Wopti.v7.9...ab.dll
windows7-x64
1Wopti.v7.9...ab.dll
windows10-2004-x64
3Wopti.v7.9...ag.dll
windows7-x64
1Wopti.v7.9...ag.dll
windows10-2004-x64
1Wopti.v7.9...ta.dll
windows7-x64
1Wopti.v7.9...ta.dll
windows10-2004-x64
1Wopti.v7.9...ct.sys
windows7-x64
1Wopti.v7.9...ct.sys
windows10-2004-x64
1Wopti.v7.9...2P.dll
windows7-x64
1Wopti.v7.9...2P.dll
windows10-2004-x64
3Wopti.v7.9...es.exe
windows7-x64
7Wopti.v7.9...es.exe
windows10-2004-x64
7Wopti.v7.9...be.dll
windows7-x64
1Wopti.v7.9...be.dll
windows10-2004-x64
1Wopti.v7.9...��.url
windows7-x64
1Wopti.v7.9...��.url
windows10-2004-x64
1Wopti.v7.9...��.exe
windows7-x64
7Wopti.v7.9...��.exe
windows10-2004-x64
7Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 11:46
Behavioral task
behavioral1
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/D3DX81ab.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/D3DX81ab.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiDefrag.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiDefrag.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiDefragVista.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiDefragVista.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiHWDetect.sys
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiHWDetect.sys
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiP2P.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiP2P.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiUtilities.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiUtilities.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/Woptiglobe.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/Woptiglobe.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/新云软件.url
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/新云软件.url
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/磁盘整理功能补丁.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Wopti.v7.91.Build.9.115.By.MyCrack/磁盘整理功能补丁.exe
Resource
win10v2004-20240709-en
General
-
Target
Wopti.v7.91.Build.9.115.By.MyCrack/WoptiUtilities.exe
-
Size
2.1MB
-
MD5
aacdb052b4adfc3e570a7a6619719c58
-
SHA1
028f5442c31a29f19cf837d0818d89f7d933e167
-
SHA256
81b87dd0a52d81cc0426dce1c26e9db39073bb28389ab24c0ec12ac4756c4c06
-
SHA512
f67e01fae7efc63852756a92815b313070bf2bbad63bc3b743e8f63b7532afb14205be0061f225249d88814b2c363077f8ecc9cfdf269ab188a3f69c1f2e33e7
-
SSDEEP
24576:kMguKLQHQ4rCdAZBG7N6wCRGTwjsOWsCMPqWJuOBveeBrv9KDxb020B9HEihsKmr:kMRBTnqN6wCREXpeJm2EiQ94nt7/q5
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WoptiUtilities.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate WoptiUtilities.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: WoptiUtilities.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 WoptiUtilities.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WoptiUtilities.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WoptiUtilities.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WoptiUtilities.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK WoptiUtilities.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\DisplayName = "????" WoptiUtilities.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\SortIndex = "4294967294" WoptiUtilities.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu WoptiUtilities.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\DisplayName = "????" WoptiUtilities.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\SortIndex = "4294967293" WoptiUtilities.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\Codepage = "65001" WoptiUtilities.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google WoptiUtilities.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\Codepage = "936" WoptiUtilities.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\URL = "http://www.baidu.com/s?tn=yokcom_pg&ie=UTF-8&wd={searchTerms}&cl=3" WoptiUtilities.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\URL = "http://www.google.com/search?hl=zh-CN&q={searchTerms}&lr=" WoptiUtilities.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: SeSecurityPrivilege 1864 WoptiUtilities.exe Token: 33 1864 WoptiUtilities.exe Token: SeIncBasePriorityPrivilege 1864 WoptiUtilities.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2944 1864 WoptiUtilities.exe 30 PID 1864 wrote to memory of 2944 1864 WoptiUtilities.exe 30 PID 1864 wrote to memory of 2944 1864 WoptiUtilities.exe 30 PID 1864 wrote to memory of 2944 1864 WoptiUtilities.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\WoptiUtilities.exe"C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\WoptiUtilities.exe"1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\romBF49.tmp.exe > C:\Users\Admin\AppData\Local\Temp\romBF49.tmp2⤵PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
819KB
MD5fd256d9f54ba68c432aff9a36d43de35
SHA17820a28ab8d360886e84c2517275db2c0bfbed14
SHA2561ff1f3a34752e9b4a71cbe189a29c2ac19fe7faa1c56076e76e271a55a44b47e
SHA512e8069747f68032ef48afe80dec9edbdec8fc5ea041a894d751c9a8b65ee5eddec71d2495ef32c9f892a8c0f2ed501b3c4afa10f66a2ade7fb089bc284ed22c98
-
Filesize
22B
MD58526ab457074d902cb0840cde8db3956
SHA13faab54c0039e50b1606d462f8f38d49759ad9ff
SHA256579ae99e25c7b8222acf14f5307224912dfca20f465be7a66485f729ad1f8077
SHA512642c985ca4ac088e6bcafc4eb45e02f1b0bed2be405ad3d3cf1ee9e964da7c60a03ec0ea6ffe89f97646c63924e7bb6a053426b99dfc5f691bb3bb1e746b386f
-
Filesize
138B
MD5bd5ec1bb52187689aced68b4ac111094
SHA181a1cc2d907318d6b7d4ae71640f6826a93645a9
SHA256220e00d29a6352653b206e3186cf7b1030e4f2f2bec0b62387c67ee9cc640f00
SHA512582f8c93e76871b5a13a8a9f28302f658fe558923a57b57bd27e11e0881420b6060d43fd50cc515f2670002ca3eb90e552a228e7da8d1aee5d9575f29f1482ce