Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Resource
win10v2004-20240802-en
General
-
Target
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
-
Size
3.9MB
-
MD5
130ce263810502ef67b195be63833750
-
SHA1
b7549d4be7e7a5fbc4aae431563882caf1ebd140
-
SHA256
1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7
-
SHA512
1c450d0d7ddb74e034c76768229a7923ae4cc8654df373c2903a7a04a4c9343d761bbdc4506bc0c514800c73831b4cd0a94903bb0eb05922fb85e467f316699c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUp2bVz8
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe -
Executes dropped EXE 2 IoCs
pid Process 2808 ecaopti.exe 2652 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot59\\devoptiec.exe" 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZB\\optixec.exe" 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe 2808 ecaopti.exe 2652 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2808 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 30 PID 2024 wrote to memory of 2808 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 30 PID 2024 wrote to memory of 2808 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 30 PID 2024 wrote to memory of 2808 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 30 PID 2024 wrote to memory of 2652 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 31 PID 2024 wrote to memory of 2652 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 31 PID 2024 wrote to memory of 2652 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 31 PID 2024 wrote to memory of 2652 2024 1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\UserDot59\devoptiec.exeC:\UserDot59\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5d979ae5cdca31e25dfc617d02e9452ef
SHA1504e2186364fe6330ce6c587449ba8a70f7f8213
SHA2568ba7b412d08b4d7fcbb622c06df35188acfd5cb720e4ba793f1be9324a33ac0e
SHA512b7df695febda38aa2aa68dcfc3997d073463eadf15c0da8e63656350d550f9d0e8b7ba050e09fe48369b8f87f2f5e23923c2fa41b50ee172b992379fade25f94
-
Filesize
3.9MB
MD59eeb2a78f056a0dee679c8937474965f
SHA12f4b674826190a5092f4e38afd288b3a8d957050
SHA256b61d231c36f2f9d2ee3f4c7fe35fc4fbbfe4e66405913243b9030c2e053b4bde
SHA5127a1085f959c9194952b443639bef7d1e22f69e264927b0530f0d0859a4bdfc757b6dd60c0197eef0a0721eae08cfb67a498eba088d33cae51e287990cc9de91c
-
Filesize
2.4MB
MD5e9261f7fdcb833752ac7b31d571cc00e
SHA16dfd76366b21490b0b869a04c17b05540ab71b14
SHA2564a4cd8774209fa1e805583a7de54c0a823c8c117c2379d3a9513eb3bdf18fe60
SHA51262c1d45034f87074bad15c33de43dff068a6e94ed4a2596937b338521a1b7aaf14636339db84b86c59753b98b98efd7245fff2cc287caf6247a97633b90b79ab
-
Filesize
172B
MD5dec56a33dc6cfcc0db5f61d5424e572d
SHA158d9423dbe04f17c7b1902a36f8be9e9eb96607e
SHA25672671c5e8ca6e994b017d8613b1fa1495c4b0538926d6d0698241242f6e3139e
SHA51288009aa325a0dd985f1660f02425c87e0dd95d5474ca33d0e33bb4a8588bdb98965c0a5f1b3e0e83cf405a764e66390a3c2cfae4cb2e04392b000e286243b78c
-
Filesize
204B
MD53b45fb2424bdd91994f12d1fee8b2178
SHA19c7ca533ecd25954a499227a5c78cc23c8069829
SHA256e787d88a59ef5e272e5abcac744a580778fce59e8278484c8082903837516980
SHA51284fb82c7190f40ec5a314a480d14d2cc92c51f1f8c3fb69fb1c8260ecab2d2f477a845219456d9d06e6aa161d5df0e5e8abc3660ca7945679f39e03504bc8290
-
Filesize
3.9MB
MD529af8a207738c3d5de7873ca4fd587c8
SHA1cab81fbd7f382aa040f673a50e73bac45461f1b2
SHA25607462cd9dc3d36cec10cb3423bc10d79ab52912606792a9ba4752c62ca6c5f11
SHA512ec9c8ace930f500c2f4341467e4fd233e085fab73900ac126e592d48220893c46969ecc2a896aba1cec644aa245fbb0c2fad2d58ce845824772922e3523cba3d
-
Filesize
3.9MB
MD517925a6d862c0312cfa7f2db243af5a6
SHA151a680c4cc7b52b07ce4d89304dc7a40289c1912
SHA25632db75ada5e7e79b10b8c7fd0e764f7d41b4dd95d2b052fc15d068288b834fec
SHA512d0cf54169aff19785a5912b52f98c35762384e80b047f7117e148b3c9d161120ca6f5f37ac429e816a863ec51fe56d7aa722abf19a1c0ccf21222021a53679ab