Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 06:31

General

  • Target

    b39e98716029fad9961399c48c93dc20N.exe

  • Size

    2.6MB

  • MD5

    b39e98716029fad9961399c48c93dc20

  • SHA1

    7863d214700f1dd6b8cb1b44fc2171a7e4f22771

  • SHA256

    5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda

  • SHA512

    e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe
    "C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2780
    • C:\UserDot4H\devdobec.exe
      C:\UserDot4H\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax60\optixsys.exe

    Filesize

    2.6MB

    MD5

    415da4969c078e715a2f88104d139009

    SHA1

    622d67eef4d975a0f69b1f61f41555816cfdd4e5

    SHA256

    b0c29d075cfc6f02fe4ac023f01164f9b39cc17d3d0d6904d952800ef5e9f955

    SHA512

    b00314a6a3e3e1d2581fe302dc60874e0ee73dabe9c526a33a097754963661b2f935fd90f0e23578a37d9ac1b1804caa785c4888082ac16a11549f49bbf43ef7

  • C:\Galax60\optixsys.exe

    Filesize

    12KB

    MD5

    5ce46de9d1c8ab23eeb8a98bb0b2232e

    SHA1

    eb2b026ffaf5a7802065fa5971c5c4495fa6763a

    SHA256

    0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

    SHA512

    173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

  • C:\UserDot4H\devdobec.exe

    Filesize

    2.6MB

    MD5

    5e4ea8ad62671a441012f17ad7364084

    SHA1

    337c583f1b33cb2f4abbb5563b3b77b4cd777b4a

    SHA256

    3e16e12db56d7c534e023f09308748765067a7a7e9cd0e120dcf43bf04680b24

    SHA512

    47607f9991cabc67cd197cfc92154b08bc7f53a60575e6caa6650e500b645bbd716858ed820c040fe77771e369bade8c9341f3acb179a76e01ad48ccc57ceb52

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    520773fc57364512e25f4f1837dd51c1

    SHA1

    0bad45f3f6ece11b74343a30fdd6653b3c70f741

    SHA256

    4722bb7d0073b78a02a85f476117e3eff3ae0d20359196d47ac045b4a22a6063

    SHA512

    e87f68c8895a38015eccfaa84a692afe8dab2663a9ce1f27e5ce9b71a125917ee3fe9a4605481e23ab32de079cd45f11007715c3e8a2e41f2423b6c9e1230cee

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    e0015b7eabc7db1e592f9e1297c1382a

    SHA1

    0e5eb3af703b1a38609156f4726bf5f41ab0c958

    SHA256

    7848eda5c748d6f752b9447e995820d36f94f680e1efed02b5067ba25b8984a1

    SHA512

    c6aa4cc8f48768c1edac57041dfbfb6a079a46f11a1eb911edddeee3d8208c4a97376da48f2cc172c3c2d6afd46486888990b29dbe2038cf497da957dce00d3f

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    102ba695a133f5d0129c669a68c7657a

    SHA1

    feede22501cd618835bfa40e5887b502044cc6ba

    SHA256

    1dbbf02cf2c410469b6cd81ee8311a46840daf47a27edcc13d9d2d351845894f

    SHA512

    22f3ec7661ec1a960403a3a7e5faf639942a281041557c28bd7383dd60d08d0df3b301eaab0ef9ba85f13af2df0b36222aab39183898c7e96e685a7760446119