Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 19:08

General

  • Target

    1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

  • Size

    2.6MB

  • MD5

    e85314befe69377f737ca5192f3b16d3

  • SHA1

    f7dc6a51bb6c995449a5f31710cb76cd4ad72ba5

  • SHA256

    1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472

  • SHA512

    18b523766a99cb932ad2cf5b54ef19bcde64e864e83e04bae2d55ae4fdc65046049c1592d532c1f9824e6299081d86e982e0c293a12671e36ae4de6026c146e9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
    "C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1116
    • C:\FilesDE\devdobsys.exe
      C:\FilesDE\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesDE\devdobsys.exe

    Filesize

    414KB

    MD5

    db09779ceb9bb7a75bc04bce0a4d650e

    SHA1

    798a1b4edb6438aeafe7f9c6e0c8c1fc9aca10b7

    SHA256

    1d53c5bc4576e5b4cc8fa981c5c5de1dfdc6b871a558ff1973e742c31f71de0d

    SHA512

    8e6afdb91498216f60b833e902e04a5ba581daa9a898c6c474c84ade4e13f47448d7b2a1408e228cab509005784dc03ac8177e92733e0b76f2eb1b50d41c7744

  • C:\FilesDE\devdobsys.exe

    Filesize

    2.6MB

    MD5

    adc7d5bb4b57c9c8a59d485c80ab842b

    SHA1

    43e28cfd04c447a5be4cf4113e93588b4fe81628

    SHA256

    36bd8c3600ffe8e3c3669a8951bf542da84bf93726d4196eb03733b7aa5224b0

    SHA512

    3a94e9cb98cf9ca637a5a0f659653fe1c9ebef33239130c67545bad0024195b54e7df16f4b0491a38f9b313df7709740901182a55e17cd3036502472c499bc9b

  • C:\GalaxIP\optialoc.exe

    Filesize

    15KB

    MD5

    baebd565738a73b1785d23f85b9b1880

    SHA1

    3e776227196d9cbee3a9edf120876f20e6af105e

    SHA256

    d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

    SHA512

    3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

  • C:\GalaxIP\optialoc.exe

    Filesize

    422KB

    MD5

    21beee87218fbb858f6b4dfac3b5fcac

    SHA1

    72d7f5b315ff8e4767b6aea4e9474d6a6ba1936c

    SHA256

    7cde72649bcbddf15b5b05c858b90d36986edb7b79fe892f7cae3687c97856c1

    SHA512

    02e61f86006479e19c4f2475acf351d13fe3859c5e1c1f5c88d1f6f900ff4f18f7ef6809a40ffbdd5f02c6844e3383d48127030949c1fe426df726d4c61a3e43

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    c10db56612b7947301a314694e8bc9d4

    SHA1

    483ae0e18eb2f5fc3e76059df1913c8283e45d17

    SHA256

    a2a95ca182d3ee4464f7517f2e2b7714f2453814cb02b228509d169e0e00c8ec

    SHA512

    66cf877518a726dbf01b42edf801c06059faa627b05ef60b9d7eb4d5656a8a19dea3c89f4133f8ec625711594fe58633cc2be75fd4d3e09fd93768b82c973ed0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    34bccc88ca15d7af22725ec12968732c

    SHA1

    8aa2ac4a87ba077419dee019ce4b021cb84d39f9

    SHA256

    9358e0c1a8145e8eb881ac77e34d5985272911cff237d46f9ca895a1421504b0

    SHA512

    6ea2d094fba43f50fe9f09ae17a42d92cbcecd0be436443916141ec3e492e2e2c8032d11e96daeb28409ae2da666ceff4651da80920702f12a3bf9ad6b338f15

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    9ed9cbc9274689e3477faf6efa1ec750

    SHA1

    2c9a7848b74db51e4c44069a2d512dca5ee735f2

    SHA256

    86cad0ab8e1e9e1c4a2b2f4f1bc962649985c0e299589634059904babbddac94

    SHA512

    2ed3e93345013b86a204ff370ac035bef039851cebd33d9ab8317ae8ab4e39fae6627f168ad3c47c6e59bc815e3b7dc8648675ac2bd3888c068621984da22816