Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Resource
win10v2004-20240802-en
General
-
Target
1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
-
Size
2.6MB
-
MD5
e85314befe69377f737ca5192f3b16d3
-
SHA1
f7dc6a51bb6c995449a5f31710cb76cd4ad72ba5
-
SHA256
1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472
-
SHA512
18b523766a99cb932ad2cf5b54ef19bcde64e864e83e04bae2d55ae4fdc65046049c1592d532c1f9824e6299081d86e982e0c293a12671e36ae4de6026c146e9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe -
Executes dropped EXE 2 IoCs
pid Process 1116 ecxopti.exe 4412 devdobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIP\\optialoc.exe" 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDE\\devdobsys.exe" 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe 1116 ecxopti.exe 1116 ecxopti.exe 4412 devdobsys.exe 4412 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3660 wrote to memory of 1116 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 82 PID 3660 wrote to memory of 1116 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 82 PID 3660 wrote to memory of 1116 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 82 PID 3660 wrote to memory of 4412 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 83 PID 3660 wrote to memory of 4412 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 83 PID 3660 wrote to memory of 4412 3660 1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe"C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\FilesDE\devdobsys.exeC:\FilesDE\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5db09779ceb9bb7a75bc04bce0a4d650e
SHA1798a1b4edb6438aeafe7f9c6e0c8c1fc9aca10b7
SHA2561d53c5bc4576e5b4cc8fa981c5c5de1dfdc6b871a558ff1973e742c31f71de0d
SHA5128e6afdb91498216f60b833e902e04a5ba581daa9a898c6c474c84ade4e13f47448d7b2a1408e228cab509005784dc03ac8177e92733e0b76f2eb1b50d41c7744
-
Filesize
2.6MB
MD5adc7d5bb4b57c9c8a59d485c80ab842b
SHA143e28cfd04c447a5be4cf4113e93588b4fe81628
SHA25636bd8c3600ffe8e3c3669a8951bf542da84bf93726d4196eb03733b7aa5224b0
SHA5123a94e9cb98cf9ca637a5a0f659653fe1c9ebef33239130c67545bad0024195b54e7df16f4b0491a38f9b313df7709740901182a55e17cd3036502472c499bc9b
-
Filesize
15KB
MD5baebd565738a73b1785d23f85b9b1880
SHA13e776227196d9cbee3a9edf120876f20e6af105e
SHA256d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7
SHA5123bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0
-
Filesize
422KB
MD521beee87218fbb858f6b4dfac3b5fcac
SHA172d7f5b315ff8e4767b6aea4e9474d6a6ba1936c
SHA2567cde72649bcbddf15b5b05c858b90d36986edb7b79fe892f7cae3687c97856c1
SHA51202e61f86006479e19c4f2475acf351d13fe3859c5e1c1f5c88d1f6f900ff4f18f7ef6809a40ffbdd5f02c6844e3383d48127030949c1fe426df726d4c61a3e43
-
Filesize
204B
MD5c10db56612b7947301a314694e8bc9d4
SHA1483ae0e18eb2f5fc3e76059df1913c8283e45d17
SHA256a2a95ca182d3ee4464f7517f2e2b7714f2453814cb02b228509d169e0e00c8ec
SHA51266cf877518a726dbf01b42edf801c06059faa627b05ef60b9d7eb4d5656a8a19dea3c89f4133f8ec625711594fe58633cc2be75fd4d3e09fd93768b82c973ed0
-
Filesize
172B
MD534bccc88ca15d7af22725ec12968732c
SHA18aa2ac4a87ba077419dee019ce4b021cb84d39f9
SHA2569358e0c1a8145e8eb881ac77e34d5985272911cff237d46f9ca895a1421504b0
SHA5126ea2d094fba43f50fe9f09ae17a42d92cbcecd0be436443916141ec3e492e2e2c8032d11e96daeb28409ae2da666ceff4651da80920702f12a3bf9ad6b338f15
-
Filesize
2.6MB
MD59ed9cbc9274689e3477faf6efa1ec750
SHA12c9a7848b74db51e4c44069a2d512dca5ee735f2
SHA25686cad0ab8e1e9e1c4a2b2f4f1bc962649985c0e299589634059904babbddac94
SHA5122ed3e93345013b86a204ff370ac035bef039851cebd33d9ab8317ae8ab4e39fae6627f168ad3c47c6e59bc815e3b7dc8648675ac2bd3888c068621984da22816