Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 05:21
Static task
static1
Behavioral task
behavioral1
Sample
63846f0545e6163d027a52bd567bb6d0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
63846f0545e6163d027a52bd567bb6d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
63846f0545e6163d027a52bd567bb6d0N.exe
-
Size
2.6MB
-
MD5
63846f0545e6163d027a52bd567bb6d0
-
SHA1
e6946c7f988f31b4efb315246147b007ea3675d6
-
SHA256
3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d
-
SHA512
ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 63846f0545e6163d027a52bd567bb6d0N.exe -
Executes dropped EXE 2 IoCs
pid Process 2412 ecadob.exe 2836 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1728 63846f0545e6163d027a52bd567bb6d0N.exe 1728 63846f0545e6163d027a52bd567bb6d0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKW\\xoptiec.exe" 63846f0545e6163d027a52bd567bb6d0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWT\\bodaloc.exe" 63846f0545e6163d027a52bd567bb6d0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63846f0545e6163d027a52bd567bb6d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1728 63846f0545e6163d027a52bd567bb6d0N.exe 1728 63846f0545e6163d027a52bd567bb6d0N.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe 2412 ecadob.exe 2836 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2412 1728 63846f0545e6163d027a52bd567bb6d0N.exe 30 PID 1728 wrote to memory of 2412 1728 63846f0545e6163d027a52bd567bb6d0N.exe 30 PID 1728 wrote to memory of 2412 1728 63846f0545e6163d027a52bd567bb6d0N.exe 30 PID 1728 wrote to memory of 2412 1728 63846f0545e6163d027a52bd567bb6d0N.exe 30 PID 1728 wrote to memory of 2836 1728 63846f0545e6163d027a52bd567bb6d0N.exe 31 PID 1728 wrote to memory of 2836 1728 63846f0545e6163d027a52bd567bb6d0N.exe 31 PID 1728 wrote to memory of 2836 1728 63846f0545e6163d027a52bd567bb6d0N.exe 31 PID 1728 wrote to memory of 2836 1728 63846f0545e6163d027a52bd567bb6d0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\IntelprocKW\xoptiec.exeC:\IntelprocKW\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
518KB
MD50b0bb8623cff3cf9d42a3e258d5e8b22
SHA165f6c1ec2a12c3ee17c62813c965bc82773d4420
SHA256f1fa6ebe8c34e9d270ab7eb0a44e81b470aa6441abc828d6c393dfb9b31e93cf
SHA512325ac3eda0702c09e1915b3972aa72f4962d734c87c201fe6d2195211f0f06451976c62aac4197e412469f485fed639fbac7110c7a6c8015c3384ca0a34bb6eb
-
Filesize
2.6MB
MD5654707e5debee6d5116ee795097f6a7c
SHA14a79927ebd7e42bb9b2e80aad7447392311273c9
SHA256702c982a3b9cc7fb53bb7f988e07a6d6d1ad21836f73ef2c447bcacba0852595
SHA512e24ef7f71a6af6394fad68b43ef4f84a8f77da57e6bea577d4640081a78a57c6e3130aebce5d038b066ff04a7d8d8e325b958695ed8b702eea165a47cdbe2a68
-
Filesize
2.6MB
MD52d996cbe5867e62c02ac621dc7211977
SHA1ab2ef2e4d4e214e4601463fc47c9aabd0a05e5c0
SHA256070ca0fdd22d03991c2beca3f83e16a76c62036d1c009ba6e4fcb80f2cf89aea
SHA512440b38af5ae4216d84643535458d0eb66b9ab429de37d77ed77ae7597a4399b644a8b9efef73be16af45498bc110a7cc7d6bbd58690186b15107634aa1b09358
-
Filesize
171B
MD58a5bbe2e43285960764dce652fdf7add
SHA1259f81adca1c1166a568bb4f3ff78e481fb2f466
SHA25632d26dcc762a33be020a48c2667bcf72dbdd9635fddd6889a59bc78c07d3f7b4
SHA512d064738e816350e6a71e6d23308321de19e9ef567fb015cefe82d1aeab1439ba8f83394a453e3c6b36933b6b4374b5af49f5e87987acc02f2412c024a3e1134e
-
Filesize
203B
MD57bd8c710c7625a1fb2c3aa4e5f87817c
SHA1e592cabfa50d3eece648215817153f0fcbf0088a
SHA2560f117279932d9a69805c05dac1981421b20d6c9435c3e360458eb7297249d40e
SHA512cf2a889cbff2142c835b41fea42c0855b36c0d9865f23d8722bdb4973f4d00c4d73949cc177706636318256cf4ac03b8ca90f9f7cc40aff76ff439911ef06ccc
-
Filesize
2.6MB
MD51dd4c9ca846b2b582b553fc109216716
SHA19b4bf2e07f7909718798663a21ebea2f90c5c09e
SHA25689935b52c380e366949d69048aa1a4029320c48847ff2c06044c38ead45847d3
SHA512e862e37d7fa72c0bfb7cb8e2edcbe701360dcce7d4e4dcb869c5b22c16e34e04b73fbe61b968ac209ce6a31e5943d91c6b65302269682100056090bb88005328
-
Filesize
2.6MB
MD5645dfbfd23cba3d1843a8c624f442437
SHA1b996f71909ced024bb991cedb586f63557475896
SHA256ceaf70cab67dd4de94c4aa8bb7c1c36670bb44858d9e5a7e5aefce55c94c01b3
SHA51263d2fe80520154b2d5c71df794549a2ac560bd05b667fa80ebbf6e8f886cf9d9fdb68475c24ac877b25391a1ba9d0ef5220328bba61d1274dad3b9c37550056b