Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2f4f4b8611...0N.exe

windows7-x64

7

2f4f4b8611...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f4f4b8611a4de7e51a7a1d1abf112c0N.exe

  • Size

    2.7MB

  • MD5

    2f4f4b8611a4de7e51a7a1d1abf112c0

  • SHA1

    b7f38b465f4c5d4194a58f9b833f95add0f7bbed

  • SHA256

    de35af036b7c4807ffc11ea69000de4f4a234381d4290b5ec0c96303769bdfab

  • SHA512

    9f5079ee17d2c73e562ebe6a6eecf929b915cdef8a4c50274204cc078864701fe012a35abe5825844f543fd435aaf17542c0b7599d93e0cd8643f5d5258232e0

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpg4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f4f4b8611a4de7e51a7a1d1abf112c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2f4f4b8611a4de7e51a7a1d1abf112c0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\SysDrvHV\xoptiloc.exe
      C:\SysDrvHV\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    202B

    MD5

    d01b158c171b8704f98f147120c7896d

    SHA1

    b2498a62e633a5b5e33613f2e83901767b60151e

    SHA256

    baa3fb46bc6b2bca10c01c5cdffe6484cc593f7c3bf1d378fc68396e66810bba

    SHA512

    eb19fdf707d480613074352fa2688dc7537e91d5a3f1f16e715d95c95ab657100f68dfc057229102e94b9e2bba045b20eafdf36b1185ca4509c510b133f814fb

    Download Submit

  • C:\VidIE\dobdevsys.exe
    Filesize

    2.7MB

    MD5

    4a1d2675df0466aa5c4a60f7989166f5

    SHA1

    777a6267394a2adba2bfb2ba80ebd7d369e89a8e

    SHA256

    00c8559cb4617811ee9322943ec22602c08fc247a3497151ea015e16f0f3048e

    SHA512

    925f2c0dfa9a1342428c63c2193862f860eca73559be8ef37cd93235ac48ec78909d47d33aa05fa092c1b1821e5c798a538dcd3e0d533c9a3a20a71769cbc018

    Download Submit

  • \SysDrvHV\xoptiloc.exe
    Filesize

    2.7MB

    MD5

    1cdb5b5987c41c3afc63d4e4b0367081

    SHA1

    bcfd854524805ad1cc74900db9e69f07da81b600

    SHA256

    35bf7f77e5c8b4a96a3773be7612bd77211591462ad4d9434aeebe8ace0db98e

    SHA512

    23f0fc40fb540d571a4eecc2e2783246572ea9bad113776a77679754021ffcb7018cf560d5d7aa5616656226fc81fb8106953f992176af759db9b80db86a8634

    Download Submit