Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
b39e98716029fad9961399c48c93dc20N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b39e98716029fad9961399c48c93dc20N.exe
Resource
win10v2004-20240802-en
General
-
Target
b39e98716029fad9961399c48c93dc20N.exe
-
Size
2.6MB
-
MD5
b39e98716029fad9961399c48c93dc20
-
SHA1
7863d214700f1dd6b8cb1b44fc2171a7e4f22771
-
SHA256
5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda
-
SHA512
e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe b39e98716029fad9961399c48c93dc20N.exe -
Executes dropped EXE 2 IoCs
pid Process 2780 ecxopti.exe 2684 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 b39e98716029fad9961399c48c93dc20N.exe 2252 b39e98716029fad9961399c48c93dc20N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4H\\devdobec.exe" b39e98716029fad9961399c48c93dc20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax60\\optixsys.exe" b39e98716029fad9961399c48c93dc20N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b39e98716029fad9961399c48c93dc20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 b39e98716029fad9961399c48c93dc20N.exe 2252 b39e98716029fad9961399c48c93dc20N.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe 2780 ecxopti.exe 2684 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2780 2252 b39e98716029fad9961399c48c93dc20N.exe 30 PID 2252 wrote to memory of 2780 2252 b39e98716029fad9961399c48c93dc20N.exe 30 PID 2252 wrote to memory of 2780 2252 b39e98716029fad9961399c48c93dc20N.exe 30 PID 2252 wrote to memory of 2780 2252 b39e98716029fad9961399c48c93dc20N.exe 30 PID 2252 wrote to memory of 2684 2252 b39e98716029fad9961399c48c93dc20N.exe 31 PID 2252 wrote to memory of 2684 2252 b39e98716029fad9961399c48c93dc20N.exe 31 PID 2252 wrote to memory of 2684 2252 b39e98716029fad9961399c48c93dc20N.exe 31 PID 2252 wrote to memory of 2684 2252 b39e98716029fad9961399c48c93dc20N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\UserDot4H\devdobec.exeC:\UserDot4H\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5415da4969c078e715a2f88104d139009
SHA1622d67eef4d975a0f69b1f61f41555816cfdd4e5
SHA256b0c29d075cfc6f02fe4ac023f01164f9b39cc17d3d0d6904d952800ef5e9f955
SHA512b00314a6a3e3e1d2581fe302dc60874e0ee73dabe9c526a33a097754963661b2f935fd90f0e23578a37d9ac1b1804caa785c4888082ac16a11549f49bbf43ef7
-
Filesize
12KB
MD55ce46de9d1c8ab23eeb8a98bb0b2232e
SHA1eb2b026ffaf5a7802065fa5971c5c4495fa6763a
SHA2560f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0
SHA512173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712
-
Filesize
2.6MB
MD55e4ea8ad62671a441012f17ad7364084
SHA1337c583f1b33cb2f4abbb5563b3b77b4cd777b4a
SHA2563e16e12db56d7c534e023f09308748765067a7a7e9cd0e120dcf43bf04680b24
SHA51247607f9991cabc67cd197cfc92154b08bc7f53a60575e6caa6650e500b645bbd716858ed820c040fe77771e369bade8c9341f3acb179a76e01ad48ccc57ceb52
-
Filesize
173B
MD5520773fc57364512e25f4f1837dd51c1
SHA10bad45f3f6ece11b74343a30fdd6653b3c70f741
SHA2564722bb7d0073b78a02a85f476117e3eff3ae0d20359196d47ac045b4a22a6063
SHA512e87f68c8895a38015eccfaa84a692afe8dab2663a9ce1f27e5ce9b71a125917ee3fe9a4605481e23ab32de079cd45f11007715c3e8a2e41f2423b6c9e1230cee
-
Filesize
205B
MD5e0015b7eabc7db1e592f9e1297c1382a
SHA10e5eb3af703b1a38609156f4726bf5f41ab0c958
SHA2567848eda5c748d6f752b9447e995820d36f94f680e1efed02b5067ba25b8984a1
SHA512c6aa4cc8f48768c1edac57041dfbfb6a079a46f11a1eb911edddeee3d8208c4a97376da48f2cc172c3c2d6afd46486888990b29dbe2038cf497da957dce00d3f
-
Filesize
2.6MB
MD5102ba695a133f5d0129c669a68c7657a
SHA1feede22501cd618835bfa40e5887b502044cc6ba
SHA2561dbbf02cf2c410469b6cd81ee8311a46840daf47a27edcc13d9d2d351845894f
SHA51222f3ec7661ec1a960403a3a7e5faf639942a281041557c28bd7383dd60d08d0df3b301eaab0ef9ba85f13af2df0b36222aab39183898c7e96e685a7760446119