Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
ae35361913d320c3069363fa3fa3ade0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ae35361913d320c3069363fa3fa3ade0N.exe
Resource
win10v2004-20240802-en
General
-
Target
ae35361913d320c3069363fa3fa3ade0N.exe
-
Size
2.6MB
-
MD5
ae35361913d320c3069363fa3fa3ade0
-
SHA1
83743b5c8258414b52fbf433e1ed3eaf2f6b441c
-
SHA256
7476915618ff5b7c002633837d6c9b1ba2a6fa04b9569054713c3b2858960c90
-
SHA512
fac4e27ef436c49df0e9ff87b8f66afcc72e6f5b7f723db6f3a148030f4b274ced028680abadeb8cde97e41426c60d7f92294f7fa9492949eba78144b6197114
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpob
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe ae35361913d320c3069363fa3fa3ade0N.exe -
Executes dropped EXE 2 IoCs
pid Process 2144 sysxopti.exe 2316 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2296 ae35361913d320c3069363fa3fa3ade0N.exe 2296 ae35361913d320c3069363fa3fa3ade0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRW\\devdobec.exe" ae35361913d320c3069363fa3fa3ade0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBR9\\optiasys.exe" ae35361913d320c3069363fa3fa3ade0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae35361913d320c3069363fa3fa3ade0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 ae35361913d320c3069363fa3fa3ade0N.exe 2296 ae35361913d320c3069363fa3fa3ade0N.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe 2144 sysxopti.exe 2316 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2144 2296 ae35361913d320c3069363fa3fa3ade0N.exe 30 PID 2296 wrote to memory of 2144 2296 ae35361913d320c3069363fa3fa3ade0N.exe 30 PID 2296 wrote to memory of 2144 2296 ae35361913d320c3069363fa3fa3ade0N.exe 30 PID 2296 wrote to memory of 2144 2296 ae35361913d320c3069363fa3fa3ade0N.exe 30 PID 2296 wrote to memory of 2316 2296 ae35361913d320c3069363fa3fa3ade0N.exe 31 PID 2296 wrote to memory of 2316 2296 ae35361913d320c3069363fa3fa3ade0N.exe 31 PID 2296 wrote to memory of 2316 2296 ae35361913d320c3069363fa3fa3ade0N.exe 31 PID 2296 wrote to memory of 2316 2296 ae35361913d320c3069363fa3fa3ade0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe"C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
C:\SysDrvRW\devdobec.exeC:\SysDrvRW\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51846af9e8b55558541978d7c56478edb
SHA1547f27f580ed217db608fc58faecb1dcb3b7543b
SHA2567c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd
SHA512863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b
-
Filesize
6KB
MD50860ba7ab87e6dbf893e728aa4621778
SHA16296ec6dd59bc3b8a68b647437f788d3632c62db
SHA256dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2
SHA5126b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef
-
Filesize
2.6MB
MD54fc31d5ec78857d5fc124bca27ed6a11
SHA194ed693f83c48e5443596540bd5e3fecd9ff916b
SHA2561e2a3890be0271525cbc89acf47c4945ab595d83c1dc6820b56395b6c02e520e
SHA51279dd3bd4a4d0c3386a8551dcc0ed3f07f4e1d9662d91d7ec22ec08775732652526ea15e5358cc4a89fc8fc3776fc991144fe939cf42d3e1c0152a1f243863590
-
Filesize
172B
MD548b0e152c54f4f0e954b3f212ab469a4
SHA1a52e08dd12d5243328cf743f8e6e61f55874b255
SHA256e140d0dd62ee5f5d9a83f6ced099d080f48eb591395318eb333b02f42333122e
SHA512b2174a65135b1af7bb9d6b12eb0c2b84fb0efcaa3f6271b4b8d5fe4201fd2879440729c9fcc149d52b1b68775e6fab8149b98dc1dde64080497265ce79ac8f5b
-
Filesize
204B
MD5969f07817dc11d8b8ffbaa3b4e37321e
SHA1e7bef68c024a26d6a08b5a5ceaee251ce824f7a4
SHA256c0a16025d7e20280e786890eeb772d31b5dafab3aed9f28a656c6a66780e7a78
SHA512cdc45b27d3a6fc3c3a89823edb7bdf8886a4fa3ffd055c5c4f753c12c7f29c8603326352633d357eeafac25558abf024325c9bcf028fa37d8b7a1bf681b4c1f7
-
Filesize
2.6MB
MD593df60cd4089d2057289107553b39825
SHA1f06cf167fcd59d0ad56dff05cdc30d8c95cee9fa
SHA256edc3598d2c0af6ba8ce09b104dc2f6992d05206415a271637f4779831cd2dd6d
SHA5127e423dcc5f258a3e8d23bce780ac393660487b48fddaf906bfd5457f85fa9bb09741a93abb426f16d08792eee6f06b5328db7fe63757bd2343e15921ca9da245