Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
Resource
win10v2004-20240802-en
General
-
Target
5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
-
Size
2.7MB
-
MD5
b63b8a778bf6d9c311b3c0c171a5867f
-
SHA1
741363ee8214d61ae3fb9d52c545c395ed4ff4c2
-
SHA256
5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2
-
SHA512
42a74fcc35ec5a36ebb4abed007ee393ba51d395be122b197fabd151d38e25ac387367b7ae22ee61f95994a8810023a0c31a08d7084c6275dcc9e70f8d6dd8f6
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpX4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 748 xoptiec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFA\\xoptiec.exe" 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEJ\\optidevsys.exe" 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 748 xoptiec.exe 748 xoptiec.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1428 wrote to memory of 748 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 90 PID 1428 wrote to memory of 748 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 90 PID 1428 wrote to memory of 748 1428 5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe"C:\Users\Admin\AppData\Local\Temp\5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\FilesFA\xoptiec.exeC:\FilesFA\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5713ef9692f95d1602ff5b6142733c0f5
SHA1ef03f841c5cc33a5c30c699f76c922145bc79f66
SHA25647227c3bd01bd12a832e016f1e4fcb5dcd779d38bfa5bd7dd230a5d83f19ba6f
SHA5122481a80acaac28f82f0adfe4be7697e47bf91db0e8cf5e23d33ad614ad44d05e363f89428152cba17682954536b955782bf715dea4d37321bc608f65449317e7
-
Filesize
9KB
MD5676d55289ebe3b95f7296c256f4e82c2
SHA1e60fbfe20f6dd5e273a0227788c9737ab9d0dc40
SHA2564867ed928df39dede7eab002d04b85c682bda0ce96a32a6a33727628533d99db
SHA512f22d87cd5f6b42194b6e873536fa1708a76308c650bbac952cbbe2e1ff6d7ec7e3dd9d2fc548fcde369b32f35c3cf65558db74c57f1b0e0b1ffa1edffbb007db
-
Filesize
2.7MB
MD5952f554821f3b24cd885a4f2e00a80d8
SHA1bd8291d25b644bf1dfc5baf64f11adcd2d96c809
SHA25602e5e119bba3f65fd73f144f690569e5dbc19f2be754bb782b9d6c6e466b5aca
SHA512e24f0fa8500eaddbfa3f7984555cb0e09e1e683c91afd9cf986ae3642f951a89424430cec027c75975441ec0aa112f6a7b206455621db5ffb5822dc73100d8a0
-
Filesize
204B
MD5611b64fa155e6d6cfbbf96b3f56c7110
SHA101ef503943cf46ab5f0e02e4be95241d6523ba92
SHA2562d370b18b6914720e2683ad595793febbaaf9bfa3532fc43ce4338d290c94acf
SHA512262d70109ebbc6b8e150f742588df52db98ff1d11a701b6c5ba3db7c7edb340dcaaf4dc84a09b2b4a244d64f90155ea98a834bc6df9f70153299664ce5344dd9