Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 10:03

General

  • Target

    af89226bdf1edff747196fe8aab4eef0N.exe

  • Size

    2.7MB

  • MD5

    af89226bdf1edff747196fe8aab4eef0

  • SHA1

    5bea1fc061f4a3d6703ebbacc1b2619e0dd8bc77

  • SHA256

    3caac343f90a0b15048847dd1a04b09b1d6b9d2b1a57764fe63c4aa433fd5698

  • SHA512

    7ca724a17672b7e1403ee0385b08a6cffe0627c21b61fff2d3d53eba36e6f661e8c3cddbe917afe7a702d0f6ab1a6982f4d91c1acaa8b0f26210d49c51149ffb

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpo4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af89226bdf1edff747196fe8aab4eef0N.exe
    "C:\Users\Admin\AppData\Local\Temp\af89226bdf1edff747196fe8aab4eef0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\SysDrv92\xoptiloc.exe
      C:\SysDrv92\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv92\xoptiloc.exe

    Filesize

    2.7MB

    MD5

    a2be5cc4a167160c84661948ac3f8acf

    SHA1

    96af708b7e2e23ea0085ee30982f84fe4dd68275

    SHA256

    05591a98fb329acda712404e4cfd5b0b727deb855b6fb58f7695ccaf16ebe9ab

    SHA512

    7e7309644be589897c7304f07be0d8c90cbac1fcc4ef1f6bc986a3ad04412ac406a66e7d73fc77a04d75518288a2a2c639f07e35e38589c8cee733b0964211f5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    f68c8f1ee5f291dec4ec3e6d82cc83a6

    SHA1

    43d160c648cd40551101c5e00bcde94640b7f928

    SHA256

    49e59036bc128900e312231c3c8d382761ed4f1a5d817284196606881398a01b

    SHA512

    0d2afd80055d739b6c4d28e40de16060c5883eee5d4db1824b2a6a7c11685ae21a3a42c2de7e12c878072e1edbb59dbc29d3ccdf20a60f6e4a7cb51e55246e26

  • C:\VidAH\dobdevloc.exe

    Filesize

    1.3MB

    MD5

    abcd3166cf163a753412b31a9a9a3459

    SHA1

    bced349b179ca45ce4d8692849ae6e6bd90c9907

    SHA256

    1299e02d70f92be87237f73c016f5ac6087d5b01130cf1aaa3feaeb20d76d145

    SHA512

    5662db413879593491b2559c3a92bb2eb774cbcf3d25ef97aaa453d0a8b9776f20452f0b88571f570a38a0e28889d4d0771aefbb9d6f591cc458c083409f8dd5