Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 13:18
Static task
static1
Behavioral task
behavioral1
Sample
8a9951312d55bd0542805a6789f6b730N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8a9951312d55bd0542805a6789f6b730N.exe
Resource
win10v2004-20240802-en
General
-
Target
8a9951312d55bd0542805a6789f6b730N.exe
-
Size
2.7MB
-
MD5
8a9951312d55bd0542805a6789f6b730
-
SHA1
8fdb6c377e6640151cdf94f69f52e3a4640b76d8
-
SHA256
67a4f95a52bc663a51106d8eaf2f9357683077db0b3eb96e535c70f35b8c4d8c
-
SHA512
dfab7220d3aaea57b9cd8efa0aba3425f1d048f62659c0665e192f44769e38a855690f5c839606e6ac821a9949240f559e73d8e04c898a4fa0abb09feea5bde9
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSps4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3048 xoptisys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe81\\xoptisys.exe" 8a9951312d55bd0542805a6789f6b730N.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5C\\dobxec.exe" 8a9951312d55bd0542805a6789f6b730N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a9951312d55bd0542805a6789f6b730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3048 xoptisys.exe 3048 xoptisys.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe 3192 8a9951312d55bd0542805a6789f6b730N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3048 3192 8a9951312d55bd0542805a6789f6b730N.exe 93 PID 3192 wrote to memory of 3048 3192 8a9951312d55bd0542805a6789f6b730N.exe 93 PID 3192 wrote to memory of 3048 3192 8a9951312d55bd0542805a6789f6b730N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a9951312d55bd0542805a6789f6b730N.exe"C:\Users\Admin\AppData\Local\Temp\8a9951312d55bd0542805a6789f6b730N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Adobe81\xoptisys.exeC:\Adobe81\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5645ce91313369a863892f6c01071aaa0
SHA12092e8be4de34124a70cf4589f19605ae6d595fd
SHA2563f37a3a14f796879c175e3dd416017d68f02dcdd2f93d49e01f577544a9eb161
SHA51248d0ae4fb0e9f85c973a9d45c7c81295b011b10831b97e70843a5719cbd565d61fd7d03bf2a269003ad36e8107d0aa321fe3abf028ba5110adc64ad0c298cdcf
-
Filesize
2.0MB
MD59c0f9f6aa4eac4e58a0111b4086c7e36
SHA119133867adf0114cb6734d8caa92a47429c7c944
SHA256a7fc055886c537b52ec4aeb9ab9bf5514c5c891ef020289a6dd30e69ebf17c05
SHA512d4ddf7cff23da0cd4626bfad75f10ab939da97e6841a4a3412aea25e2b1e33dddb9c09ead9be74246ad1f72cafd947b6776d980270e812a118b3fa4f280ec372
-
Filesize
2.7MB
MD502c5252db7520c342f61ecc3739a7761
SHA1e2ab81e56c3377797766c39d5243d6b6594c92f4
SHA2568452f93e8ad272f2e10ed92c610716e3985461c1cd67dbde80f41a13eb74a42c
SHA512112208a4e57c5b0763c608b0ff8bfbfd0e4bca4d96f644aa955265ba941c266113be23f117a68b82e9ecf048be52018548fa44b25d85a42532bf5e6703dcdbf7
-
Filesize
201B
MD541f4c1709a9c80836aa2d50af616243c
SHA137915a207e91167b8c2dde493673c441a18da8b0
SHA256387996db25aa760a21413a4f4666c13d24cea60c77ca3c4b4973e180b3a403e4
SHA512e4ff0f4fda2988cc18ba9cda97299e23cc17936b65bd5d747d530cdaf3922ae4bc350b3b666eeac41542d529732c07f4a2403ae8a16143f0699209a914b535ed