Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
89df74e783e31db93de93ec03cdd7aa0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
89df74e783e31db93de93ec03cdd7aa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
89df74e783e31db93de93ec03cdd7aa0N.exe
-
Size
2.7MB
-
MD5
89df74e783e31db93de93ec03cdd7aa0
-
SHA1
9b2f6ae72922ad4272103bb7e1cc5f8aa588cc2f
-
SHA256
09afb153a9ebd54d3b143e3c8c85efe458783d40ccdf94b56e9f37b62ed14394
-
SHA512
4b71b8d0613ef61dd5d43e913788ad07f28eec4f748d0e4bb7cc926999a3d8c0ab4011e2e92ff333d8ae62c6b764000ccb182f0511c3af4358c796eb21b5b92f
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBg9w4Sx:+R0pI/IQlUoMPdmpSp+4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2280 aoptisys.exe -
Loads dropped DLL 1 IoCs
pid Process 468 89df74e783e31db93de93ec03cdd7aa0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFU\\aoptisys.exe" 89df74e783e31db93de93ec03cdd7aa0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGC\\dobasys.exe" 89df74e783e31db93de93ec03cdd7aa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89df74e783e31db93de93ec03cdd7aa0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 468 89df74e783e31db93de93ec03cdd7aa0N.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe 2280 aoptisys.exe 468 89df74e783e31db93de93ec03cdd7aa0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 468 wrote to memory of 2280 468 89df74e783e31db93de93ec03cdd7aa0N.exe 31 PID 468 wrote to memory of 2280 468 89df74e783e31db93de93ec03cdd7aa0N.exe 31 PID 468 wrote to memory of 2280 468 89df74e783e31db93de93ec03cdd7aa0N.exe 31 PID 468 wrote to memory of 2280 468 89df74e783e31db93de93ec03cdd7aa0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\89df74e783e31db93de93ec03cdd7aa0N.exe"C:\Users\Admin\AppData\Local\Temp\89df74e783e31db93de93ec03cdd7aa0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468 -
C:\AdobeFU\aoptisys.exeC:\AdobeFU\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD587e076892773339e4d40e43e1d220f85
SHA181db7a25110992a24b4893bb95ab05eed584c351
SHA256bf45275aecffc7d1f28a77e2af2b1c25ac13a43fc5e8b08c62afea24aad3fd15
SHA51253ce1433cb71d71d8afd6c5b7db3b226d253b58d6c2ae7420146a2b30e7ce6a4d8d15373a9fa87c49a3348c4125386e22c32ca411233bcee9676843d376f18ae
-
Filesize
201B
MD5272e907a0211e6e915b67f868f387951
SHA1b448379625a6f6eb455363de7d68f59ab3068133
SHA25691298eb65b9e4e81bb0e755eb27de24da9943698898b4f4e46d44104712317e2
SHA5125b8b884431d7922efca8deb6ffff41ae242978a60de9458ae916fa6ec57b85c3e86a1db2538fafd7fd4c677c9fd650344a03014adf351472de70f77040c3ad9f
-
Filesize
2.7MB
MD527683d81a7098c4405cd015ab04cfad3
SHA1f44e16906cccc8a503c92fd133cbf9b9702dd561
SHA2567871e1d32f1744e339381534542018908f112e35f3b9bac6457cac1415572051
SHA512619f38bd8ebce0fa36e3fc0564957c02cd5cfd8258c8586624e67d304f73bba664a154188f91f8ae78862acdf2dfb7ba6b2c5a6fe8c19cf799d92f3c7e1ff079