Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 04:38 UTC

General

  • Target

    c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

  • Size

    2.6MB

  • MD5

    7b85aff2eabe47a3af5ecabbafd173d7

  • SHA1

    ea0e78441c5cb5968b424d77aeb7c07dca43e4d9

  • SHA256

    c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a

  • SHA512

    5e58548bde67e8fb786c76c87e8b32f23db14300b4c8e746ad387e7e7f764ffd79197d46ddecf570ad4c75542aee70c8baff9438a1f903f47d2c819d00e7b13f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
    "C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2168
    • C:\SysDrvLX\devoptisys.exe
      C:\SysDrvLX\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint8J\boddevloc.exe

    Filesize

    2.6MB

    MD5

    35c19a676d20627ee2991f89253fe154

    SHA1

    fbe86f15816a4f2a1d1eb2de11c8f323620d4441

    SHA256

    3a50991056b7719c4569190bccf5ef92715512176e68ec464f040168e55ebbd2

    SHA512

    d40cf42c495f49d25d86708e44c0b54a42b7aba37730a49a4422cd943f6600e17d15e12a5b20e0e68f0327116578f96e22680aa8a56f705d054362e4d0f99fa7

  • C:\Mint8J\boddevloc.exe

    Filesize

    303KB

    MD5

    27fa4bdceea3629952986eb7b916f150

    SHA1

    521368a648bc7df3ef1e96204ce54c69f0a18b24

    SHA256

    8d569cf61c3fb3705ac5098b925528b52de8535a3dd96c3ea38763ddd4857f78

    SHA512

    cc7ff1578926aed2ab285875205ca55d5e24ae36df2c091fdb62693a626757ab0a83078403cb00a918b5c90dd1a7b2954e82d210ff217cde379f00d3a2cd49c1

  • C:\SysDrvLX\devoptisys.exe

    Filesize

    65KB

    MD5

    d58e75dec58b0b30d5f6a564b3dc23e0

    SHA1

    4a9a39a559823566faf88706593999e8379cb819

    SHA256

    c8e0196d78f084b9f29d58319b532b59746e2ab432aab8bcce8570dbdb347d05

    SHA512

    c6076b935473b11dc9771ec8f6307a0b4e8d14503cdc97e9c449905844e3e197f9503e5f64e8d28cc02a3c28a3a1357505825eb3accd54930789e9dba072b676

  • C:\SysDrvLX\devoptisys.exe

    Filesize

    2.6MB

    MD5

    619d6132951664f8e26e852ea16226ae

    SHA1

    adfeb89d7ed6072f75c6046713c9b774f7333605

    SHA256

    927040333daf2d4c44db528aec5632ea8f0c8365ef8e94a50f4a82cc4e1e26d5

    SHA512

    1c8ac09d9dbbb9b23b0646f7fe1e79323272521e3924c40d7e38b50a2a7f1efd2e9ec21d3a19f49544ce5f64373f1e05b957a4d909d5dddb1ccb32d3379f77a3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    fdb34838e63504762721bfdc5d55c974

    SHA1

    7aa199a26a94df8f6f3e45456295bd041f28bb96

    SHA256

    9dabc0c2c8bf317afe75448cfb064df145e3b3272fca9ec1462f7bf3a6b7cb37

    SHA512

    faa81b62e0257be15b17494adb48c32e8039b5d568eb6ce2b2709a55cbe98066694e467ddd17def6540df99973af1ed02cd871a899019e588158d5b35b3005a5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    888b92022e48af4b444dd999cc44dbc9

    SHA1

    3cc7f8d28fdd5086bbb01b6617c44bd357ad4807

    SHA256

    dbf22c0cb53c28e07b6ad6fcede295491e6898dfead98c5001ce2fcdf69676ef

    SHA512

    04dcb575bdc8d7b85c2863be0a659799e139cbe6c082f5e5b9a00dd01dc4f652d6179342d8474bedd1879ce05daa78fba7a1765573c2896a50f76e10ebbcd728

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    375dbe7d0751ba5ca5de4bd533a7d0ee

    SHA1

    aaadcf449c8282f25abd722ac73dbad4aac29ee4

    SHA256

    6b93053d5685825a1f9e06d3daa49e57ddff638f452a111abb32fbc2cea3f9d5

    SHA512

    73e8e7693045f4d10e1d680b6883668c906c5336c342bb12eeda28bc0b16aab807099855f3e6ab5eb07a0dc32c7b8d063b11e60075e2ad55fc1594f8f2fc3cf0

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.