Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 01:18

General

  • Target

    37eb0108c9c7c8578d2750ea751b1e20N.exe

  • Size

    2.6MB

  • MD5

    37eb0108c9c7c8578d2750ea751b1e20

  • SHA1

    49f27712a40c88920e245874c8cac5bf962e54f2

  • SHA256

    a7983f42b1a900f861a7e979c25b56960c8c8093d04dc7a971fd1170b5693575

  • SHA512

    a8ec6c28490a7e839eb594dda75a944e0972dfcf663888c60b8d855999ca529f479d192b1fd2db64842eeaf7d2bb5769fda4529927bc84c1a63b4a72792b8283

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSq:sxX7QnxrloE5dpUpYbV

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe
    "C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2812
    • C:\UserDot89\aoptisys.exe
      C:\UserDot89\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintDL\optidevec.exe

    Filesize

    2.6MB

    MD5

    d72bc81e6d3f6ec5c78ec866dcc25b46

    SHA1

    d9e8413e772a1c247f11b910d930767899f1820a

    SHA256

    7799e7887e9c964d073bbfb963b65a4a5fb5305716e27abf40ea14f08da9e82a

    SHA512

    0b8ef21907c7c43211c3611e8680beaf961ecea7b9942c7f19437812137789f68a9ee8e418b768c81f2ebedd8f6a31ea6379ee7094141876f9846e7214174308

  • C:\MintDL\optidevec.exe

    Filesize

    2.6MB

    MD5

    bff7058e7d5459b345e613462f1e9227

    SHA1

    8077236f6016ab7e72a503eb9d8fd20f9d3c7e38

    SHA256

    d84a85d1d40d8ec99c2527df2f81d7fc06d16d1d3aa0ea0362cc353774f2d626

    SHA512

    af8636fbe3db7d89d243593526531202a29c9ff79ac1b24845f463d3e9ac53c1933388fc3833252689f32ac2098113cdbd3e5f18296afea1bc6b0ef5807a8d4e

  • C:\UserDot89\aoptisys.exe

    Filesize

    2.6MB

    MD5

    7560067944a38249fd8670412aeca31f

    SHA1

    9fca8dc7af74a0aed420ff26bbfcc7e019a608c6

    SHA256

    72573dda3b87556fa8ece2dd045242b94ac100abe54051626ba311e40e3290d4

    SHA512

    42028237540dbf63287f55ec6c4d2f30b6bf23b89929bc1ea0d0bd9c49bbdacabd0e81baf16cb2a284cf54e6e21efa1e36921529ca77ce22697c9fc7aeccce51

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    041d6583498f1dab01af8a454727ea0c

    SHA1

    8ad79df559b9c5f56c2787eecb1b3e7e7b58afd6

    SHA256

    5eae1d26f12c49bb8d7316fffd6d748c45ef750bfb7e55629fba9c2077c5ed18

    SHA512

    ddefdf905403547190b27a437db4c2384b489f663d118711d4d9ba441097362da36a11b6f3477a80927f84f0b4c0b3470f4711ffe135c2d6096bae2bd4c1f167

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    c9cab8ce387b3b75461548302c1480f4

    SHA1

    81a5dafc2ea60dd95d32b7604312e2fa7e0e608d

    SHA256

    c5927949d2bcffe9c0d4e2cccfdfce4a2b4209bff2baf58392010e80cdc96d1d

    SHA512

    c4ac36a7c8966896280871b1d926c459b060e312d9e6e59e4e7d5967aa6c59299ab29e6f00bc70cf3d050ffcdaef326725c02304ec8be1135d78e2708d54491d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    2.6MB

    MD5

    658c3ce00b6d4f2c9dcc6dab67c0e95c

    SHA1

    458724a6eeaf14a9c3e3ee4d0582adbeb2f3c23c

    SHA256

    85070d4813acc4148e7cee40ca3cefb7a14c82ba0156720be1d930872461c10a

    SHA512

    249a96928f07188238a5f12685803bfc7df72d928e7ca1f3a8a2719c19f44f4a894c3e62e6c8576d7eaabc3691c3871e14c33a1bf06bf932c7aa50d3ee19700d