Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 01:50
Static task
static1
Behavioral task
behavioral1
Sample
263e6b643b25619cffed711bfff69b30N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
263e6b643b25619cffed711bfff69b30N.exe
Resource
win10v2004-20240802-en
General
-
Target
263e6b643b25619cffed711bfff69b30N.exe
-
Size
2.7MB
-
MD5
263e6b643b25619cffed711bfff69b30
-
SHA1
c45cb71e0444e66979eef1b5f93d656294f84804
-
SHA256
b4e0cce8d4e9d33a2b5624e2815da906ddd60614696a7bdc5b4fd585ac4b87ef
-
SHA512
c7160ad2bd2a0a9e768469902d6f95615d77081d2bf6becdb0fc874489ba3a61f49cd9411664a853c3649395d9840303cb6512e3e54d00a6a2b2812c22cfa04f
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSp+4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1324 xoptiec.exe -
Loads dropped DLL 1 IoCs
pid Process 2404 263e6b643b25619cffed711bfff69b30N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF3\\xoptiec.exe" 263e6b643b25619cffed711bfff69b30N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFV\\bodxsys.exe" 263e6b643b25619cffed711bfff69b30N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 263e6b643b25619cffed711bfff69b30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 263e6b643b25619cffed711bfff69b30N.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe 1324 xoptiec.exe 2404 263e6b643b25619cffed711bfff69b30N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1324 2404 263e6b643b25619cffed711bfff69b30N.exe 30 PID 2404 wrote to memory of 1324 2404 263e6b643b25619cffed711bfff69b30N.exe 30 PID 2404 wrote to memory of 1324 2404 263e6b643b25619cffed711bfff69b30N.exe 30 PID 2404 wrote to memory of 1324 2404 263e6b643b25619cffed711bfff69b30N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\263e6b643b25619cffed711bfff69b30N.exe"C:\Users\Admin\AppData\Local\Temp\263e6b643b25619cffed711bfff69b30N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\SysDrvF3\xoptiec.exeC:\SysDrvF3\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d010912d7d8c9a46390c46b846baf674
SHA14a1b8367b0bb801091c29d783e4f17e8dbbb6ca3
SHA2566fcb80ee281ccdb512d8e5fce173ec5e9f8f0c7e19fec5fad5394fa7029ff296
SHA512a5026b5e74c7a76584a2d9952a9a475e66cf9b3cc635771976d431f083cca504bb9bee54549fefae251c270568fb415bd67c0119058b5f5ebaebdfa516e0132a
-
Filesize
201B
MD5e3d2f9ce91cad7af7db5ad1a18042759
SHA11f756ccea192f989c3ac01d128ccb60f5749868a
SHA256d22d140438e30084134f20a968d5a14ad889603c082709c8fb002b1fc7739bbb
SHA51269fc8d2f8e2518a8c6ed54c41186bd9a26097c77023af8ac2b6fec601a9b34c75c60b87c5aaef425597bd683ed21731e70432f3fd83e4c4d78db2d1b32b843be
-
Filesize
2.7MB
MD5e24bb1b8ad2e5903a1b6e7e1f1d7c260
SHA1f429181d78dbf00b587914ad1c948ab5246ac893
SHA25640f56794c6de982c8db9f835c734f145a91ef433b1198f1e69f43f5c34c78a3a
SHA5128eca80604985db5643f5ec9d6fb6a971b5b2c9ab5960fb86a850c8fe9d19d1c1b604c7fe69193ba155dc735cb891f3feff0460b2fc5598972bc77c7678ed10f6