Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 22:54
Static task
static1
Behavioral task
behavioral1
Sample
78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Resource
win10v2004-20240802-en
General
-
Target
78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
-
Size
2.7MB
-
MD5
f4c15e4237f6e469c43c0e960221427e
-
SHA1
905870f4120e5952128f7a77411b89ea4c21c6b8
-
SHA256
78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c
-
SHA512
13e1be3f3b49581c091c09cc0ec078c09c80b36b5ca8c989f5bcb3e62a4655d213e598e9d37bd64f09f444508f313c1726006ed09fa6dffba30de857b44a47cc
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSpe4X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5028 aoptiec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYY\\aoptiec.exe" 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJU\\optiaec.exe" 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 5028 aoptiec.exe 5028 aoptiec.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1492 wrote to memory of 5028 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 86 PID 1492 wrote to memory of 5028 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 86 PID 1492 wrote to memory of 5028 1492 78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe"C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\AdobeYY\aoptiec.exeC:\AdobeYY\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD53f9e68b92661d50ad2edbf8b98a0144e
SHA161c38a27265f6ab7d6f3909ef4b4c7a4983c2053
SHA256979cca1b467458f3f6f734297c0da04a69cdbac22b2baad56cfc45801b43678b
SHA512b760bff9ea8918c3b3e952efcc2125adbd080bcd27106093168145cb9e17d5c219f20648d8da122a01583e3c8db9969ded55870b3c316a34451d09f7d1571842
-
Filesize
2.7MB
MD5360d07be5fb5551dbef371eac740b5dd
SHA11322e6ae55be3e29dd4642e61616dda59d158e81
SHA2564a6290cabe890093b68e37a3e51bdbaab8c795ec027fcfd6a002df7df9fabda9
SHA5120c1c962b9ef9e2e34f412848e69b7c7b2d0f2e8e0a40ad85f175fef751973ed7be7a670aaa61c03e9fd2280f179bd874573c8d7a913c5d10d888d3d5c834611c
-
Filesize
193B
MD5abf77aefe4cc81f084a001b660784a57
SHA1a5724af3bd767dcee99756b111aecd2da4b296aa
SHA256391656ea4c90cd0da3708a4fb846933a5d3a96cd36a7be8b6df60aa8eb90f93b
SHA512101fd294a0ca0ea95004bc1e900c79a600c961c1ef55bd0fb3dac32cd3a222fe1b1f920faa09e8888385486b9dee34f85b259312f3d77d71d01b1ea8c5e2411d