Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
37eb0108c9c7c8578d2750ea751b1e20N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
37eb0108c9c7c8578d2750ea751b1e20N.exe
Resource
win10v2004-20240802-en
General
-
Target
37eb0108c9c7c8578d2750ea751b1e20N.exe
-
Size
2.6MB
-
MD5
37eb0108c9c7c8578d2750ea751b1e20
-
SHA1
49f27712a40c88920e245874c8cac5bf962e54f2
-
SHA256
a7983f42b1a900f861a7e979c25b56960c8c8093d04dc7a971fd1170b5693575
-
SHA512
a8ec6c28490a7e839eb594dda75a944e0972dfcf663888c60b8d855999ca529f479d192b1fd2db64842eeaf7d2bb5769fda4529927bc84c1a63b4a72792b8283
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSq:sxX7QnxrloE5dpUpYbV
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 37eb0108c9c7c8578d2750ea751b1e20N.exe -
Executes dropped EXE 2 IoCs
pid Process 2812 sysabod.exe 2912 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot89\\aoptisys.exe" 37eb0108c9c7c8578d2750ea751b1e20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDL\\optidevec.exe" 37eb0108c9c7c8578d2750ea751b1e20N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37eb0108c9c7c8578d2750ea751b1e20N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe 2812 sysabod.exe 2912 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2812 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 30 PID 1824 wrote to memory of 2812 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 30 PID 1824 wrote to memory of 2812 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 30 PID 1824 wrote to memory of 2812 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 30 PID 1824 wrote to memory of 2912 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 31 PID 1824 wrote to memory of 2912 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 31 PID 1824 wrote to memory of 2912 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 31 PID 1824 wrote to memory of 2912 1824 37eb0108c9c7c8578d2750ea751b1e20N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe"C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\UserDot89\aoptisys.exeC:\UserDot89\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d72bc81e6d3f6ec5c78ec866dcc25b46
SHA1d9e8413e772a1c247f11b910d930767899f1820a
SHA2567799e7887e9c964d073bbfb963b65a4a5fb5305716e27abf40ea14f08da9e82a
SHA5120b8ef21907c7c43211c3611e8680beaf961ecea7b9942c7f19437812137789f68a9ee8e418b768c81f2ebedd8f6a31ea6379ee7094141876f9846e7214174308
-
Filesize
2.6MB
MD5bff7058e7d5459b345e613462f1e9227
SHA18077236f6016ab7e72a503eb9d8fd20f9d3c7e38
SHA256d84a85d1d40d8ec99c2527df2f81d7fc06d16d1d3aa0ea0362cc353774f2d626
SHA512af8636fbe3db7d89d243593526531202a29c9ff79ac1b24845f463d3e9ac53c1933388fc3833252689f32ac2098113cdbd3e5f18296afea1bc6b0ef5807a8d4e
-
Filesize
2.6MB
MD57560067944a38249fd8670412aeca31f
SHA19fca8dc7af74a0aed420ff26bbfcc7e019a608c6
SHA25672573dda3b87556fa8ece2dd045242b94ac100abe54051626ba311e40e3290d4
SHA51242028237540dbf63287f55ec6c4d2f30b6bf23b89929bc1ea0d0bd9c49bbdacabd0e81baf16cb2a284cf54e6e21efa1e36921529ca77ce22697c9fc7aeccce51
-
Filesize
173B
MD5041d6583498f1dab01af8a454727ea0c
SHA18ad79df559b9c5f56c2787eecb1b3e7e7b58afd6
SHA2565eae1d26f12c49bb8d7316fffd6d748c45ef750bfb7e55629fba9c2077c5ed18
SHA512ddefdf905403547190b27a437db4c2384b489f663d118711d4d9ba441097362da36a11b6f3477a80927f84f0b4c0b3470f4711ffe135c2d6096bae2bd4c1f167
-
Filesize
205B
MD5c9cab8ce387b3b75461548302c1480f4
SHA181a5dafc2ea60dd95d32b7604312e2fa7e0e608d
SHA256c5927949d2bcffe9c0d4e2cccfdfce4a2b4209bff2baf58392010e80cdc96d1d
SHA512c4ac36a7c8966896280871b1d926c459b060e312d9e6e59e4e7d5967aa6c59299ab29e6f00bc70cf3d050ffcdaef326725c02304ec8be1135d78e2708d54491d
-
Filesize
2.6MB
MD5658c3ce00b6d4f2c9dcc6dab67c0e95c
SHA1458724a6eeaf14a9c3e3ee4d0582adbeb2f3c23c
SHA25685070d4813acc4148e7cee40ca3cefb7a14c82ba0156720be1d930872461c10a
SHA512249a96928f07188238a5f12685803bfc7df72d928e7ca1f3a8a2719c19f44f4a894c3e62e6c8576d7eaabc3691c3871e14c33a1bf06bf932c7aa50d3ee19700d