Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 04:38

General

  • Target

    c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

  • Size

    2.6MB

  • MD5

    7b85aff2eabe47a3af5ecabbafd173d7

  • SHA1

    ea0e78441c5cb5968b424d77aeb7c07dca43e4d9

  • SHA256

    c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a

  • SHA512

    5e58548bde67e8fb786c76c87e8b32f23db14300b4c8e746ad387e7e7f764ffd79197d46ddecf570ad4c75542aee70c8baff9438a1f903f47d2c819d00e7b13f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
    "C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2168
    • C:\SysDrvLX\devoptisys.exe
      C:\SysDrvLX\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint8J\boddevloc.exe

    Filesize

    2.6MB

    MD5

    35c19a676d20627ee2991f89253fe154

    SHA1

    fbe86f15816a4f2a1d1eb2de11c8f323620d4441

    SHA256

    3a50991056b7719c4569190bccf5ef92715512176e68ec464f040168e55ebbd2

    SHA512

    d40cf42c495f49d25d86708e44c0b54a42b7aba37730a49a4422cd943f6600e17d15e12a5b20e0e68f0327116578f96e22680aa8a56f705d054362e4d0f99fa7

  • C:\Mint8J\boddevloc.exe

    Filesize

    303KB

    MD5

    27fa4bdceea3629952986eb7b916f150

    SHA1

    521368a648bc7df3ef1e96204ce54c69f0a18b24

    SHA256

    8d569cf61c3fb3705ac5098b925528b52de8535a3dd96c3ea38763ddd4857f78

    SHA512

    cc7ff1578926aed2ab285875205ca55d5e24ae36df2c091fdb62693a626757ab0a83078403cb00a918b5c90dd1a7b2954e82d210ff217cde379f00d3a2cd49c1

  • C:\SysDrvLX\devoptisys.exe

    Filesize

    65KB

    MD5

    d58e75dec58b0b30d5f6a564b3dc23e0

    SHA1

    4a9a39a559823566faf88706593999e8379cb819

    SHA256

    c8e0196d78f084b9f29d58319b532b59746e2ab432aab8bcce8570dbdb347d05

    SHA512

    c6076b935473b11dc9771ec8f6307a0b4e8d14503cdc97e9c449905844e3e197f9503e5f64e8d28cc02a3c28a3a1357505825eb3accd54930789e9dba072b676

  • C:\SysDrvLX\devoptisys.exe

    Filesize

    2.6MB

    MD5

    619d6132951664f8e26e852ea16226ae

    SHA1

    adfeb89d7ed6072f75c6046713c9b774f7333605

    SHA256

    927040333daf2d4c44db528aec5632ea8f0c8365ef8e94a50f4a82cc4e1e26d5

    SHA512

    1c8ac09d9dbbb9b23b0646f7fe1e79323272521e3924c40d7e38b50a2a7f1efd2e9ec21d3a19f49544ce5f64373f1e05b957a4d909d5dddb1ccb32d3379f77a3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    fdb34838e63504762721bfdc5d55c974

    SHA1

    7aa199a26a94df8f6f3e45456295bd041f28bb96

    SHA256

    9dabc0c2c8bf317afe75448cfb064df145e3b3272fca9ec1462f7bf3a6b7cb37

    SHA512

    faa81b62e0257be15b17494adb48c32e8039b5d568eb6ce2b2709a55cbe98066694e467ddd17def6540df99973af1ed02cd871a899019e588158d5b35b3005a5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    888b92022e48af4b444dd999cc44dbc9

    SHA1

    3cc7f8d28fdd5086bbb01b6617c44bd357ad4807

    SHA256

    dbf22c0cb53c28e07b6ad6fcede295491e6898dfead98c5001ce2fcdf69676ef

    SHA512

    04dcb575bdc8d7b85c2863be0a659799e139cbe6c082f5e5b9a00dd01dc4f652d6179342d8474bedd1879ce05daa78fba7a1765573c2896a50f76e10ebbcd728

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    375dbe7d0751ba5ca5de4bd533a7d0ee

    SHA1

    aaadcf449c8282f25abd722ac73dbad4aac29ee4

    SHA256

    6b93053d5685825a1f9e06d3daa49e57ddff638f452a111abb32fbc2cea3f9d5

    SHA512

    73e8e7693045f4d10e1d680b6883668c906c5336c342bb12eeda28bc0b16aab807099855f3e6ab5eb07a0dc32c7b8d063b11e60075e2ad55fc1594f8f2fc3cf0