Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 04:54

General

  • Target

    1811ff8e09ca8a0caa777852400ea8e0N.exe

  • Size

    2.6MB

  • MD5

    1811ff8e09ca8a0caa777852400ea8e0

  • SHA1

    d2794f6208b655058eaea704a37e688f6c98607f

  • SHA256

    8b9d6e01ed14e6dbc555f8156ed337df2decc760b1a0a92b97ae3dc1e7547987

  • SHA512

    5abceb5b58a06aaa12dd7c3d066d667cb4f0484d7de5a21d5942f380679ff0c56de254c5bce4c6bd9b6292e803af5fe857178551c06db08e2ab4967ecea0e250

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1811ff8e09ca8a0caa777852400ea8e0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2248
    • C:\Adobe6D\aoptiloc.exe
      C:\Adobe6D\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe6D\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    e95c406c0170cc241bbe4d76b884cdf7

    SHA1

    51addf58ebd8e79b7abb8edd40d82c944b249254

    SHA256

    bf526b47dbb9c29070bfc2634309db60bdfb1a954ab42c511d0680631742f551

    SHA512

    53f3dd39b3009ae3bf938db8f8134eff49dce0ea1c5c168f2479af2973c4308adbb57917b7f07402540c21330496a8f0dbc859ade24867fcf0dfe21827afe173

  • C:\GalaxIW\optixsys.exe

    Filesize

    2.6MB

    MD5

    6f9e548b337e69b2211c029cc826ecfa

    SHA1

    ad83c29f2eb0b8f016cc6b17097409e33e86f4cf

    SHA256

    db3fc36909d5d2d6a7292cd9da2d7156a243def7055074472667cc24bff3bf55

    SHA512

    fe91706d32b71948e31d3af5b02714b2d6b61d2170c3d70d28a0c2094cd278eff6c404fc9fa52438db4ea3de0f57e63621a62df936cb0df0bdf1d5848a45bcf6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    8f6ff39208b2ffe0e37b8026a9cce693

    SHA1

    4ff4b7c809315f3216580db8b60135a3518cdbaf

    SHA256

    472683dcde4ab9a12883a6cafc5394317f4b3d7ff611061d1b2eef7a18a166d7

    SHA512

    e18bb2fd33871ebbcdff13198be0f9643604d412cf06067b4c09673fdc847f04260e6775bb92186ab7486570907085ae4874c999dbcc65b57f7b677fde26a66f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    9a6548695fabc461a7c9980c33d83fb2

    SHA1

    bcb0f327888bd83829d2ac16f60e89c434eb9b2c

    SHA256

    8b41383b2a4664c0d3ce99af43cb28826b303c8357608e3d8419384365bb8dc5

    SHA512

    7c23a7316e352121326803bdd27f2097f379017c58d19b6490a14224c093aafd402886a6dc414ce3c0376243cc235d5fff58836e0389c0ee3c8c60f485f7e596

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    142d92e99e78c2ffc0de672d40381664

    SHA1

    e529a271951010745f269813de780d0da22a17fe

    SHA256

    007a4191718fca27223f0bef8af704984317eaf2cc9d6b0b1f5472fdee697d69

    SHA512

    d5d12ac6564c538e200912f4ed04ce8b8f408799e0baa19c053ed1759fd3dcdbf5f9fdad740f2793513fc6904ec4a9c6070c8c8b92f646f068d2af8a796831fe