Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 04:38 UTC
Static task
static1
Behavioral task
behavioral1
Sample
c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Resource
win10v2004-20240802-en
General
-
Target
c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
-
Size
2.6MB
-
MD5
7b85aff2eabe47a3af5ecabbafd173d7
-
SHA1
ea0e78441c5cb5968b424d77aeb7c07dca43e4d9
-
SHA256
c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a
-
SHA512
5e58548bde67e8fb786c76c87e8b32f23db14300b4c8e746ad387e7e7f764ffd79197d46ddecf570ad4c75542aee70c8baff9438a1f903f47d2c819d00e7b13f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe -
Executes dropped EXE 2 IoCs
pid Process 2168 ecxopti.exe 2824 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8J\\boddevloc.exe" c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvLX\\devoptisys.exe" c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe 2168 ecxopti.exe 2824 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2168 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 30 PID 2368 wrote to memory of 2168 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 30 PID 2368 wrote to memory of 2168 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 30 PID 2368 wrote to memory of 2168 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 30 PID 2368 wrote to memory of 2824 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 31 PID 2368 wrote to memory of 2824 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 31 PID 2368 wrote to memory of 2824 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 31 PID 2368 wrote to memory of 2824 2368 c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
-
C:\SysDrvLX\devoptisys.exeC:\SysDrvLX\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD535c19a676d20627ee2991f89253fe154
SHA1fbe86f15816a4f2a1d1eb2de11c8f323620d4441
SHA2563a50991056b7719c4569190bccf5ef92715512176e68ec464f040168e55ebbd2
SHA512d40cf42c495f49d25d86708e44c0b54a42b7aba37730a49a4422cd943f6600e17d15e12a5b20e0e68f0327116578f96e22680aa8a56f705d054362e4d0f99fa7
-
Filesize
303KB
MD527fa4bdceea3629952986eb7b916f150
SHA1521368a648bc7df3ef1e96204ce54c69f0a18b24
SHA2568d569cf61c3fb3705ac5098b925528b52de8535a3dd96c3ea38763ddd4857f78
SHA512cc7ff1578926aed2ab285875205ca55d5e24ae36df2c091fdb62693a626757ab0a83078403cb00a918b5c90dd1a7b2954e82d210ff217cde379f00d3a2cd49c1
-
Filesize
65KB
MD5d58e75dec58b0b30d5f6a564b3dc23e0
SHA14a9a39a559823566faf88706593999e8379cb819
SHA256c8e0196d78f084b9f29d58319b532b59746e2ab432aab8bcce8570dbdb347d05
SHA512c6076b935473b11dc9771ec8f6307a0b4e8d14503cdc97e9c449905844e3e197f9503e5f64e8d28cc02a3c28a3a1357505825eb3accd54930789e9dba072b676
-
Filesize
2.6MB
MD5619d6132951664f8e26e852ea16226ae
SHA1adfeb89d7ed6072f75c6046713c9b774f7333605
SHA256927040333daf2d4c44db528aec5632ea8f0c8365ef8e94a50f4a82cc4e1e26d5
SHA5121c8ac09d9dbbb9b23b0646f7fe1e79323272521e3924c40d7e38b50a2a7f1efd2e9ec21d3a19f49544ce5f64373f1e05b957a4d909d5dddb1ccb32d3379f77a3
-
Filesize
174B
MD5fdb34838e63504762721bfdc5d55c974
SHA17aa199a26a94df8f6f3e45456295bd041f28bb96
SHA2569dabc0c2c8bf317afe75448cfb064df145e3b3272fca9ec1462f7bf3a6b7cb37
SHA512faa81b62e0257be15b17494adb48c32e8039b5d568eb6ce2b2709a55cbe98066694e467ddd17def6540df99973af1ed02cd871a899019e588158d5b35b3005a5
-
Filesize
206B
MD5888b92022e48af4b444dd999cc44dbc9
SHA13cc7f8d28fdd5086bbb01b6617c44bd357ad4807
SHA256dbf22c0cb53c28e07b6ad6fcede295491e6898dfead98c5001ce2fcdf69676ef
SHA51204dcb575bdc8d7b85c2863be0a659799e139cbe6c082f5e5b9a00dd01dc4f652d6179342d8474bedd1879ce05daa78fba7a1765573c2896a50f76e10ebbcd728
-
Filesize
2.6MB
MD5375dbe7d0751ba5ca5de4bd533a7d0ee
SHA1aaadcf449c8282f25abd722ac73dbad4aac29ee4
SHA2566b93053d5685825a1f9e06d3daa49e57ddff638f452a111abb32fbc2cea3f9d5
SHA51273e8e7693045f4d10e1d680b6883668c906c5336c342bb12eeda28bc0b16aab807099855f3e6ab5eb07a0dc32c7b8d063b11e60075e2ad55fc1594f8f2fc3cf0