Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 02:10

General

  • Target

    db00276d6303371ff33d01daca3daf00N.exe

  • Size

    2.6MB

  • MD5

    db00276d6303371ff33d01daca3daf00

  • SHA1

    04f3de19e7f96461bc5af303908cd0f7af4103bd

  • SHA256

    bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c

  • SHA512

    e90ceaf4b44e82c88b07ce420f6135e72bc70e95772cdeee7262e7e9f75d7fdef3fe253117373e9c3a1e24a1ebd4a726363f437f74c8c2d552bbcd8f156691a1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpib

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe
    "C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2240
    • C:\Intelproc1Y\xoptiloc.exe
      C:\Intelproc1Y\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc1Y\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    93cb38b58ea413647581849801894323

    SHA1

    dea1a9409c1e2e755861808d1347f168f25b8e20

    SHA256

    45dd0b9b5e8f85b667d9419db88a130e7d298601738afc62b97d7474a8443968

    SHA512

    b63ea2b5cef7cf1862c053b7a9dcd93654c29127655bb05d07bbcfe6a5e0bc6d685523de6a8e7a87ab9e6cf5ad9f184cf4a9ab76dd3ff5c17a640c733c3bd501

  • C:\LabZIW\optidevec.exe

    Filesize

    256KB

    MD5

    b3ab996ff59c6aea5e1a2915a9e8aeb7

    SHA1

    b5c7aaef814b7982f52b7ce36668ed4dcb82b934

    SHA256

    f5b37472689368d417d48670c8fb456672adf63232490643311ce72427783ee1

    SHA512

    3449d47f16c312162f606b8496898b4f7a3587ce5c15ffb6ef1ffcc5aa2d024e2289997c3e4f6c8c1507c5719b52e6cd4c81ec2caac86719c9d302f99d65aa04

  • C:\LabZIW\optidevec.exe

    Filesize

    189KB

    MD5

    43ad7e251790c7e47b6823bd030db779

    SHA1

    ebcc886fc2ff87e2f3da6024e55bb752bfb09198

    SHA256

    e9bc73029b679eaca4a029fb2c3c07d776caed4e1fda9d829fb87bf5bfd8a6df

    SHA512

    2ca78f61949de2433d291e1aa9fb21aabaa662297c0c6b1b5116ba8433f1b3d831774b35be789a23752142d5c0d2e915e4001d59ea63ae28344dad61f4c30809

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    ce86486e35d917b939b257a0440484a9

    SHA1

    32482029b1c86a89d351ec2236c8e6d91f92690a

    SHA256

    7a529445cdde18c1263bf9a03a0046a6481f958c96f3d167c0d32472e55581a7

    SHA512

    dfca6de49e2b65dc869245234cd2affca439becd240f2f10c8442ebc9a7b1888ed92d562e53c6c25855c7f190c0e68cea150b8020ec54ade73e0aee337d46cc7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    d40bb084383d3d37ba4a634418e3bd1d

    SHA1

    4399dabcb68c0bfb84cd40d70c1d8ebe8896d332

    SHA256

    0e0bb1efb5162d58d997545e1b512f728b85b6f0c3e393a04e75d31dc7d6f5bc

    SHA512

    9fe15b65f69c1ea190e6ccf650866fdbde44eda3b6ae64379c3ee00d4e993cc1174e03cd9f590ebcd17ffbc055bd651923c529724f05400f617455b8535171d2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    2d3479933b19db1f94dee459fe732b69

    SHA1

    821bd5e21ec4f20de5fc755419a9abfb7221123e

    SHA256

    0f5b841ae313acbd1e53b9b7e25ebb14b3116fad867ac1cb56e9b2cbd4e07a95

    SHA512

    1dd8452717d3d97ef163ff5f588b160ee067a064b0082ac1c2318860b5e6b95e3296513f947e7ae21820aa06196d62abda991634e758250b436833799b78acaf