Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 13:29

General

  • Target

    130a84e39f527ccc098fe180888fffe0N.exe

  • Size

    3.0MB

  • MD5

    130a84e39f527ccc098fe180888fffe0

  • SHA1

    841d830070b179e4b64c1f4fd11a9cc2e98b5930

  • SHA256

    0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7

  • SHA512

    09ad3ac741ca410068231380d21932f016d0df6369f994f9d27fa17b4be4fc796acf2ae73368a530a86f1945180ef2203c1ac7184f6752032b06fe44eb48c131

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNX:sxX7QnxrloE5dpUpebVz8eLF

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe
    "C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3496
    • C:\FilesK2\xoptiloc.exe
      C:\FilesK2\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesK2\xoptiloc.exe

    Filesize

    3.0MB

    MD5

    7ffefeaf78f1eb5d91c80cc70351dc69

    SHA1

    01cf94551535758ed62eb223d311d84d85017553

    SHA256

    6d5d053dd2b4702a485fa63d9d22dc8cfc482a9c64a819be81f7b414067e87df

    SHA512

    7ddcedba7f9a3f428f80224bdd00c1a3a6f1cf5716a07bc5ec39af47e7fe353695b1a2d94c70578c72fb5af509fb0e40abfc52f6b7b8e829492c9c7591f564d5

  • C:\MintXN\optidevec.exe

    Filesize

    3.0MB

    MD5

    b159b7c5aaf98c20b4c22b0d9b492349

    SHA1

    2adb78049ba2bb034bff84199483b769a6df8a29

    SHA256

    46bb00980a085a5f8818c8e41ac3f9a243fb3d8b1b8ec26ebe416be6dd0d239c

    SHA512

    2c6f14d58fc7aa02b36902b7e89e858347f7debf61a1fa500880d7a1918ea587ea1d8a921fe4157f1aabf0afc358cce43498d19e91855f8cdaea5b5bea2ecd92

  • C:\MintXN\optidevec.exe

    Filesize

    3.0MB

    MD5

    e5da63f31b43af243630b36125d7f42f

    SHA1

    aa1fb17714249f7da14b63c40014946dad1b26b6

    SHA256

    f94a0a79e027639ff02efb8f33449d717bdf3d0a9033632a003fd3fc0497c19c

    SHA512

    a3096a756728cb54e608669e6832101ec165b82a6b12f43f297efc14e1352f7e41a73049a93d24acb7c65e9231beb35e9396df3a6b542f7dd92abf4a266fefdd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    78f17fddb1d06f09b38c8c323737fa88

    SHA1

    cde192f3152a095baaf4750bae8ae92028871ac2

    SHA256

    35b407ff55e7efaec3563f8b0b7fc9a60c815e47d49c931603e484178de8a7de

    SHA512

    cb00ca88582f30d23ffebdf3da45af0bd58dff8bfaaaa34734c60525fb4baa58a19db2357643c1e38795aafb3865bb54322407a4e4426bbc6b9b910f784dcce7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    b50ba17817222d8307cc922285055e35

    SHA1

    11861a25766269c6e269af8a2e8c017fc6d6c814

    SHA256

    62136b11f5102a2e13eb7d4ef5a767fb74b32b5871cbbaeccf3d8a7d1561292c

    SHA512

    c3cb7c27b7e429317282b3b6a74d778ccef2195157366108d46b7ecf2b2807e4c1e9c148d37d696f9ffab3d7b09c638d464267a1999fc36fe2ff59c6c02e772b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    3.0MB

    MD5

    06d83eb112ff995c5ec937b81e0d9303

    SHA1

    499d77478077600797d4a98a6da1516578aa21ec

    SHA256

    afdeca7b68182437839ca2d236d92490f3d2ecc9a64753f9c86d2e3ac5f6647e

    SHA512

    4f2be7b263f07bbc565ceb5f53d2482e961c4e54eadca248eba84087f3415de5482f75f6307ed2c3d030d4eee8b3ceb70b5c89a257f60f0e6d46f9fb3cf429a6