Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

46647e4b02...0N.exe

windows7-x64

7

46647e4b02...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/08/2024, 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46647e4b023fdac71ad646e3d12601e0N.exe

  • Size

    3.1MB

  • MD5

    46647e4b023fdac71ad646e3d12601e0

  • SHA1

    be3fbc70c5c5e3748cf6a00355eb23ed38dd8fd1

  • SHA256

    d73aaee8bc93378bd9f4ad4859655d879d0aa6dbd78da220b169fa8e3cfe3c6b

  • SHA512

    49c91d1f9fdbe34c3247aad78fe18135d16429d7c83872371087686704fa149b1e9563cdcff508c758cf1aea049f399e514786e60636e6bfa4efe937159a4a61

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Su+LNfej:+R0pI/IQlUoMPdmpSp24JkNfej

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46647e4b023fdac71ad646e3d12601e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\46647e4b023fdac71ad646e3d12601e0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\UserDotMI\aoptiloc.exe
      C:\UserDotMI\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintMF\optidevloc.exe
    Filesize

    3.1MB

    MD5

    c73bdc2446aff4047749a611d12f4c3f

    SHA1

    a7625d1ef390d5cc62548068c15485be54e9be88

    SHA256

    c57b47dde4e964f1a7c124137e65b0084af5678c38ddd41fc328dca2550290b4

    SHA512

    75680911b6181d112363fd3a95f78bbfb2696c682cb41e17209413a66c2f516de51a00ec977abb61c945358ed76c1f8a3d345b89b6b0a3d34793809cfac74df0

    Download Submit

  • C:\UserDotMI\aoptiloc.exe
    Filesize

    3.1MB

    MD5

    ea638949a91235d9f02810a7e23421cd

    SHA1

    f5789be1fa5d6d3aaa5409e519e7be7a10ab7198

    SHA256

    9bcc5a62b282a0d06a2f7c334e70514736ed73d0b4b5f5aeacf9ebb57cdf4086

    SHA512

    6ad3169cff19f26ec7c6723080f46d909c0db7a661c36e486ee6f55a6fc0de4d019ecbec3cd6d78597ce76228af990f14d326ca8efe8b2c4bc1f3a020a702d0e

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    f82c7712050261dca106d968c0cce91d

    SHA1

    3336503968968871de7c63ce24e634ad5dd97a32

    SHA256

    8480f7b8eba7fca682484ad0837155e41c462d32792007bed9b9931b7788dfcf

    SHA512

    c5b9ae34b80e71d2fc5f039bbb7b561413f7c3a901d15e4a9f961ca506b3fe2eed9149abc6aa131cd96015c2540939012746028587af863f14917065a3e6f782

    Download Submit