Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 01:17

General

  • Target

    ae35361913d320c3069363fa3fa3ade0N.exe

  • Size

    2.6MB

  • MD5

    ae35361913d320c3069363fa3fa3ade0

  • SHA1

    83743b5c8258414b52fbf433e1ed3eaf2f6b441c

  • SHA256

    7476915618ff5b7c002633837d6c9b1ba2a6fa04b9569054713c3b2858960c90

  • SHA512

    fac4e27ef436c49df0e9ff87b8f66afcc72e6f5b7f723db6f3a148030f4b274ced028680abadeb8cde97e41426c60d7f92294f7fa9492949eba78144b6197114

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpob

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ae35361913d320c3069363fa3fa3ade0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2144
    • C:\SysDrvRW\devdobec.exe
      C:\SysDrvRW\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBR9\optiasys.exe

    Filesize

    1.4MB

    MD5

    1846af9e8b55558541978d7c56478edb

    SHA1

    547f27f580ed217db608fc58faecb1dcb3b7543b

    SHA256

    7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd

    SHA512

    863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b

  • C:\KaVBR9\optiasys.exe

    Filesize

    6KB

    MD5

    0860ba7ab87e6dbf893e728aa4621778

    SHA1

    6296ec6dd59bc3b8a68b647437f788d3632c62db

    SHA256

    dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

    SHA512

    6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

  • C:\SysDrvRW\devdobec.exe

    Filesize

    2.6MB

    MD5

    4fc31d5ec78857d5fc124bca27ed6a11

    SHA1

    94ed693f83c48e5443596540bd5e3fecd9ff916b

    SHA256

    1e2a3890be0271525cbc89acf47c4945ab595d83c1dc6820b56395b6c02e520e

    SHA512

    79dd3bd4a4d0c3386a8551dcc0ed3f07f4e1d9662d91d7ec22ec08775732652526ea15e5358cc4a89fc8fc3776fc991144fe939cf42d3e1c0152a1f243863590

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    48b0e152c54f4f0e954b3f212ab469a4

    SHA1

    a52e08dd12d5243328cf743f8e6e61f55874b255

    SHA256

    e140d0dd62ee5f5d9a83f6ced099d080f48eb591395318eb333b02f42333122e

    SHA512

    b2174a65135b1af7bb9d6b12eb0c2b84fb0efcaa3f6271b4b8d5fe4201fd2879440729c9fcc149d52b1b68775e6fab8149b98dc1dde64080497265ce79ac8f5b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    969f07817dc11d8b8ffbaa3b4e37321e

    SHA1

    e7bef68c024a26d6a08b5a5ceaee251ce824f7a4

    SHA256

    c0a16025d7e20280e786890eeb772d31b5dafab3aed9f28a656c6a66780e7a78

    SHA512

    cdc45b27d3a6fc3c3a89823edb7bdf8886a4fa3ffd055c5c4f753c12c7f29c8603326352633d357eeafac25558abf024325c9bcf028fa37d8b7a1bf681b4c1f7

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    93df60cd4089d2057289107553b39825

    SHA1

    f06cf167fcd59d0ad56dff05cdc30d8c95cee9fa

    SHA256

    edc3598d2c0af6ba8ce09b104dc2f6992d05206415a271637f4779831cd2dd6d

    SHA512

    7e423dcc5f258a3e8d23bce780ac393660487b48fddaf906bfd5457f85fa9bb09741a93abb426f16d08792eee6f06b5328db7fe63757bd2343e15921ca9da245