Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 01:41

General

  • Target

    f009fa4fbf36760aeb5a8ca0d3b21910N.exe

  • Size

    2.7MB

  • MD5

    f009fa4fbf36760aeb5a8ca0d3b21910

  • SHA1

    09bdc6a1e3ab136737f74456199caa692033b568

  • SHA256

    887a8dec2685426b2bc0fe1364671cb9c0e4a76981ba9e5d61835fb4ca90593b

  • SHA512

    93c3d27214feb5af490c126771467e85b15eefb5e5fe887050218e70af60d6445017d40a2443cfaf0c695f6260b0f2ecd25d758a39de609b4cf67b613cbf571f

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSpc4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe
    "C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\UserDotD2\xdobloc.exe
      C:\UserDotD2\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2232
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4668,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:8
    1⤵
      PID:512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\KaVBID\optixec.exe

      Filesize

      11KB

      MD5

      7c04dfcfd9b905bce3928823a75b9ed2

      SHA1

      30c4e1f6cee58ee0dcc82e08d2ee53eeb63feec0

      SHA256

      04ee5525fdb52bdfe97480bd9fd5d827a08de5c206eedb6d9079d1791db0829c

      SHA512

      32d0a23cdaa420a8eeba01748cb048bf89e027e89bb4f0a8ab190531997b67c8a600bad998295186357a77ad137d6c72c1541e48a4980eff6163cffe0bbd9e96

    • C:\KaVBID\optixec.exe

      Filesize

      2.7MB

      MD5

      82ef541df19f207e772ed1809b6da587

      SHA1

      429ebce9e203a6c651ac37155850145460338a1e

      SHA256

      5a74032f785c58fb5331e885eed85ce6b9c19c9a42f1212210329668c695e637

      SHA512

      896865c89edf94385fc70a39ab0c290779e5b987598958cea97961be9a31270d3b69e3176b94e5a0c4e307ed1a94e811723231832982302505b0080d3923d07a

    • C:\UserDotD2\xdobloc.exe

      Filesize

      2.7MB

      MD5

      0fdfbcccac3ce3741d4ef47243704d14

      SHA1

      da2eab455cc89f0edcabe24f0f4464df97a5dc02

      SHA256

      1031d6ad3bf935ae0f21b719c0ade508d582883b4853c8e2986ead10ee75b71c

      SHA512

      68ef4e739caf1ef934a0f90070559c935ce2640d9309937ff6d3b6b10fcbc474a178b99808961cf90d0e982f91ab34e96a60f777891fca1a2a4db9fc1c7b79e9

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      202B

      MD5

      19aa82f4f5d91d244e950fe485702b67

      SHA1

      61cf8e36b64f69de9b88d8e4a8fef6e976601861

      SHA256

      66d15fd7bb0a36e0f5a135045758ec384c8a4c48f86efae519b9fcc1158da8e4

      SHA512

      e9d02a4004787fd5848f8910e2b618839917727d10c8cf9ef4c3cba6f62dfd40422b6545d8b031f5a34f40341f3b366f9d6221b17cc0691b3615490169b5ebf5