Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

22e19e5ffe...0N.exe

windows7-x64

7

22e19e5ffe...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22e19e5ffef48f570272fa10a8323220N.exe

  • Size

    2.7MB

  • MD5

    22e19e5ffef48f570272fa10a8323220

  • SHA1

    3ee2b9852b6153ff8ece701483518be61efe313b

  • SHA256

    7058cb79aaa703aa5f95a4665df0816d6f784c96da699227811009a9ebc9471f

  • SHA512

    90acd7a9d010cfa6c3a1e68efad08a6a006276f90e2e4e9f3cd91b9d76589d480311957eb5086d22fe27c41ee729ccabff9d5c19a32adb9c37f6a9c5d305f61c

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22e19e5ffef48f570272fa10a8323220N.exe
    "C:\Users\Admin\AppData\Local\Temp\22e19e5ffef48f570272fa10a8323220N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\SysDrvF5\xoptiloc.exe
      C:\SysDrvF5\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxZU\dobaloc.exe
    Filesize

    2.7MB

    MD5

    5182e11e3d9a473bf1e343ecdf3bbeab

    SHA1

    36762822d76d75eecca17b8cf6e27c5228a24f12

    SHA256

    1a69a9f138286fdc75d9bdaa44e69c35637e91dcc955885237d8a0d1d572a329

    SHA512

    0769783dd6b65f557a4ea4cfe21f568b6af6d76f02129a669ce1b65f65083fa91fb6cd2c879774280879b15b859e82126e8e1f0406db3bff777c29bfa59f6681

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    8f0ae58257e7eab9550b95d64953a059

    SHA1

    42a94a905cc09adfd83665d972caf14e8080539b

    SHA256

    0a0727dbf36ec1ce6f002084d9f263f51727e7d45b1ee2e2720cae31eda036a4

    SHA512

    02a7a0ed71084a66db7135405877c30aea5e6a9420940bd557821a4a62b7ed64aaa39f94602e41e789a8d3599b825b6370fe5af4538a8241d638b0fefeab11eb

    Download Submit

  • \SysDrvF5\xoptiloc.exe
    Filesize

    2.7MB

    MD5

    f05d3bf2f8590b368183a28c0a9fcf28

    SHA1

    25aad7ce62b714555ec36710affee9f6aaf64fa0

    SHA256

    2a20c73fa177946cf497f5f9b4eb9a1650ef74388bcce3033a7ea2b46f4b8822

    SHA512

    a1efdc1d9fc024e70a3f7190abbddf61fb2cd0aa2fbbc07ce47c574f24d9d508cdf518f20236bebfc3c960be82f9a2b1a4eaa75d0e2a44e5cd2ae9eeb4539bd7

    Download Submit