Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 07:37

General

  • Target

    17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

  • Size

    2.6MB

  • MD5

    0914143e1282401f23d0b5f072f8ee60

  • SHA1

    cf2df366c40c1e38621da27eae9bab47a80d0f80

  • SHA256

    17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c

  • SHA512

    3eab0f2f6f75e3b65f01a245cccef81463d06d8bc4b507dcc2a525bed07494ae1c2896561c5994626eb53b867e4c5b9a4e91bce7ea346f9d07b4fbcedfcaebc4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
    "C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4436
    • C:\UserDot22\aoptiec.exe
      C:\UserDot22\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxA3\optiaec.exe

    Filesize

    15KB

    MD5

    62f17a18e2665228331086e6e938bfcc

    SHA1

    8e2aada25ef3eee33045d7c08ce27d04adfb7da4

    SHA256

    1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385

    SHA512

    0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3

  • C:\GalaxA3\optiaec.exe

    Filesize

    2.6MB

    MD5

    4799716ce306afc8b5e3191497749ec0

    SHA1

    65d9c573dc86b42a759b9366fcab2a0684032149

    SHA256

    fdf7b30191b5665d26f0c1e8227767986f988951b9dec8243d10f01de9777eab

    SHA512

    4d0c050f1fd9fd71374d9321cddbf6a898f6fe24766771a24eee13fda1b7131f428035d6cb110b1cdaf83222780bac01e501aecf2c0071888179f13e5c989e9a

  • C:\UserDot22\aoptiec.exe

    Filesize

    2.6MB

    MD5

    3e948c2ef9ab67ba841d1e91a38135ea

    SHA1

    76b766a449d5fd51a086778ef03cf8e2301088ed

    SHA256

    79caf06003d61775282b0058ef80e4392553dda4a42d3ada32d121da406a2e85

    SHA512

    58e63cca90a53d09a15b3c9fccef9ce938b0f59e7881288d16fe96a06ba460c53943d1bc08429012a38ea2c2e078382a54c7ba94ae6282ec97b37d64401f6e6d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    8d0cfb4d58fde24c07ac4da2cfd5d5c9

    SHA1

    7651913a4422b1558a71fad26f3f21caf7b5f5b0

    SHA256

    6d6c15e7fb80cbc6cb34fd4df91344d20da9950e7805e37ba6ea31cee5c5ef43

    SHA512

    a2d6a78d7355026d4204dd32cad24e10a1874b1f377d2b55d8b5c4b599c04d6a148c794f5cb9553acdf68428b41d4d04bf80cec7f29aa91b226342e8c001c011

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    31901043fbc8afaf8e91de9caf068c1e

    SHA1

    54e98ada0715d01ad9beba3250c1991de5563f29

    SHA256

    c4ab7b31a9675d3f54b04d90a334e47423afa47a89a4642a91a52cf8232c2ac1

    SHA512

    450b033310d6d40a26dfce0fc26c38e91a603b295d8003ee1b6da47feeb7191795ba792088e86022fc9ee04ce459d882b493020edaa46739f4d6984c37fa2ea4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    1101943adb9bb7b4175d672006d91b1c

    SHA1

    83056904247dca68d54b39752dec20b3d86865cb

    SHA256

    bac8cf6c5c162fa0da8f6397dad2428675a8a804e373701076f36f828100d0b5

    SHA512

    ef8fdeb5444baca1590b60020844ee937ea96c47008d8615cf099ec82444e0c0f29ebc6f1167f029ca70c155acea4b954ba6320fad7f1da9a603272f534e92cb