Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0f1ee7306c...0N.exe

windows7-x64

7

0f1ee7306c...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f1ee7306cefdef1bf7039123282fee0N.exe

  • Size

    2.7MB

  • MD5

    0f1ee7306cefdef1bf7039123282fee0

  • SHA1

    f81548bc83f906787d7d221be268cb57bc4bc56a

  • SHA256

    8a26bb0dfaa21c513afc393416a8cca8a58251fac5ba5479e28ac92cec8f929f

  • SHA512

    ad9c0963e79e740dc0a87a5c8302a420814abc5a9889ff04c30cc7ce7a48b5b99db8c8ec6d956debb6dca127c0c9e5093ad1c4cde61ab8ecff3b8b617659e8ce

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSp44

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1ee7306cefdef1bf7039123282fee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1ee7306cefdef1bf7039123282fee0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\SysDrvUN\aoptiloc.exe
      C:\SysDrvUN\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxEU\dobaloc.exe
    Filesize

    7KB

    MD5

    78631f73b43fa95e766280d67ae7da0f

    SHA1

    ca85fe116da7d0ee4c8d36fe1825df8c09d6829b

    SHA256

    32c0c0e722985ad4e4d7ae76467698b725193db0207c8be6bd41d5f55b187db5

    SHA512

    3bf2fce579c4792818390e3df70a9eea56371e516e574cf566a6352e2c8f91702bced60b65a6c3465c13ab588282f9b426793f38fb6e96ec23e0f0ae23450edf

    Download Submit

  • C:\GalaxEU\dobaloc.exe
    Filesize

    2.7MB

    MD5

    7448a39a02cceb5d53f0ff1f162ea8ed

    SHA1

    b0b4207e4d4e529c80ffa73512e4f39afecaf3e5

    SHA256

    8d139775afb97c355d8e0dca3ff6cf0e9004ac2f08a54cdfe3ec63722e32612f

    SHA512

    9bafd570b32cf3367eac090338d56ad4b25932fbbc3d308923b318714ef3a7773e566cb4ab7cccbb01c443e7f06e2b0f567ad5694eed1d111d21f04d6445e54b

    Download Submit

  • C:\SysDrvUN\aoptiloc.exe
    Filesize

    2.7MB

    MD5

    b2511555c1ae2a3de4fde8ad66ad24b6

    SHA1

    7a373ae165bb635e23b47bb7161e176277c239c1

    SHA256

    7f24412ab3c75949189992bae0f1478cad9c4140f1b1e313269135803e4f698b

    SHA512

    9977e53345ca79b1355198dbab5a0df3806414d8499fc13aebde22a33ba830e19a2d1d138356d0e25b5022fa7a1b17119b28d85f6bb12a0fc9da224a1421e642

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    206B

    MD5

    e8b0dd09511545d1c14241c48277ea98

    SHA1

    0d6f9aa8e1354d5c8260bbc4f2bfa35097f3a8b6

    SHA256

    b2099899a90728ee9dfb771a70659af89341b704a287b203cfe53f15e5c06db9

    SHA512

    ecb2b67ddd6bedf8e6ff698eb5bb1e598b5fb66769c1f2d1c3b25d23c506bbc9ce90276acb31bb26987e385b47c5e7f85cf79955841533b04357f268ce376b72

    Download Submit