Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
130a84e39f527ccc098fe180888fffe0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
130a84e39f527ccc098fe180888fffe0N.exe
Resource
win10v2004-20240709-en
General
-
Target
130a84e39f527ccc098fe180888fffe0N.exe
-
Size
3.0MB
-
MD5
130a84e39f527ccc098fe180888fffe0
-
SHA1
841d830070b179e4b64c1f4fd11a9cc2e98b5930
-
SHA256
0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7
-
SHA512
09ad3ac741ca410068231380d21932f016d0df6369f994f9d27fa17b4be4fc796acf2ae73368a530a86f1945180ef2203c1ac7184f6752032b06fe44eb48c131
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNX:sxX7QnxrloE5dpUpebVz8eLF
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 130a84e39f527ccc098fe180888fffe0N.exe -
Executes dropped EXE 2 IoCs
pid Process 3496 ecabod.exe 2704 xoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK2\\xoptiloc.exe" 130a84e39f527ccc098fe180888fffe0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXN\\optidevec.exe" 130a84e39f527ccc098fe180888fffe0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 130a84e39f527ccc098fe180888fffe0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 100 130a84e39f527ccc098fe180888fffe0N.exe 100 130a84e39f527ccc098fe180888fffe0N.exe 100 130a84e39f527ccc098fe180888fffe0N.exe 100 130a84e39f527ccc098fe180888fffe0N.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe 3496 ecabod.exe 3496 ecabod.exe 2704 xoptiloc.exe 2704 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 100 wrote to memory of 3496 100 130a84e39f527ccc098fe180888fffe0N.exe 87 PID 100 wrote to memory of 3496 100 130a84e39f527ccc098fe180888fffe0N.exe 87 PID 100 wrote to memory of 3496 100 130a84e39f527ccc098fe180888fffe0N.exe 87 PID 100 wrote to memory of 2704 100 130a84e39f527ccc098fe180888fffe0N.exe 90 PID 100 wrote to memory of 2704 100 130a84e39f527ccc098fe180888fffe0N.exe 90 PID 100 wrote to memory of 2704 100 130a84e39f527ccc098fe180888fffe0N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe"C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\FilesK2\xoptiloc.exeC:\FilesK2\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD57ffefeaf78f1eb5d91c80cc70351dc69
SHA101cf94551535758ed62eb223d311d84d85017553
SHA2566d5d053dd2b4702a485fa63d9d22dc8cfc482a9c64a819be81f7b414067e87df
SHA5127ddcedba7f9a3f428f80224bdd00c1a3a6f1cf5716a07bc5ec39af47e7fe353695b1a2d94c70578c72fb5af509fb0e40abfc52f6b7b8e829492c9c7591f564d5
-
Filesize
3.0MB
MD5b159b7c5aaf98c20b4c22b0d9b492349
SHA12adb78049ba2bb034bff84199483b769a6df8a29
SHA25646bb00980a085a5f8818c8e41ac3f9a243fb3d8b1b8ec26ebe416be6dd0d239c
SHA5122c6f14d58fc7aa02b36902b7e89e858347f7debf61a1fa500880d7a1918ea587ea1d8a921fe4157f1aabf0afc358cce43498d19e91855f8cdaea5b5bea2ecd92
-
Filesize
3.0MB
MD5e5da63f31b43af243630b36125d7f42f
SHA1aa1fb17714249f7da14b63c40014946dad1b26b6
SHA256f94a0a79e027639ff02efb8f33449d717bdf3d0a9033632a003fd3fc0497c19c
SHA512a3096a756728cb54e608669e6832101ec165b82a6b12f43f297efc14e1352f7e41a73049a93d24acb7c65e9231beb35e9396df3a6b542f7dd92abf4a266fefdd
-
Filesize
202B
MD578f17fddb1d06f09b38c8c323737fa88
SHA1cde192f3152a095baaf4750bae8ae92028871ac2
SHA25635b407ff55e7efaec3563f8b0b7fc9a60c815e47d49c931603e484178de8a7de
SHA512cb00ca88582f30d23ffebdf3da45af0bd58dff8bfaaaa34734c60525fb4baa58a19db2357643c1e38795aafb3865bb54322407a4e4426bbc6b9b910f784dcce7
-
Filesize
170B
MD5b50ba17817222d8307cc922285055e35
SHA111861a25766269c6e269af8a2e8c017fc6d6c814
SHA25662136b11f5102a2e13eb7d4ef5a767fb74b32b5871cbbaeccf3d8a7d1561292c
SHA512c3cb7c27b7e429317282b3b6a74d778ccef2195157366108d46b7ecf2b2807e4c1e9c148d37d696f9ffab3d7b09c638d464267a1999fc36fe2ff59c6c02e772b
-
Filesize
3.0MB
MD506d83eb112ff995c5ec937b81e0d9303
SHA1499d77478077600797d4a98a6da1516578aa21ec
SHA256afdeca7b68182437839ca2d236d92490f3d2ecc9a64753f9c86d2e3ac5f6647e
SHA5124f2be7b263f07bbc565ceb5f53d2482e961c4e54eadca248eba84087f3415de5482f75f6307ed2c3d030d4eee8b3ceb70b5c89a257f60f0e6d46f9fb3cf429a6