Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 07:37
Static task
static1
Behavioral task
behavioral1
Sample
17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Resource
win10v2004-20240802-en
General
-
Target
17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
-
Size
2.6MB
-
MD5
0914143e1282401f23d0b5f072f8ee60
-
SHA1
cf2df366c40c1e38621da27eae9bab47a80d0f80
-
SHA256
17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c
-
SHA512
3eab0f2f6f75e3b65f01a245cccef81463d06d8bc4b507dcc2a525bed07494ae1c2896561c5994626eb53b867e4c5b9a4e91bce7ea346f9d07b4fbcedfcaebc4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe -
Executes dropped EXE 2 IoCs
pid Process 4436 ecdevopti.exe 1996 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot22\\aoptiec.exe" 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxA3\\optiaec.exe" 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe 4436 ecdevopti.exe 4436 ecdevopti.exe 1996 aoptiec.exe 1996 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3368 wrote to memory of 4436 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 82 PID 3368 wrote to memory of 4436 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 82 PID 3368 wrote to memory of 4436 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 82 PID 3368 wrote to memory of 1996 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 83 PID 3368 wrote to memory of 1996 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 83 PID 3368 wrote to memory of 1996 3368 17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe"C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\UserDot22\aoptiec.exeC:\UserDot22\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD562f17a18e2665228331086e6e938bfcc
SHA18e2aada25ef3eee33045d7c08ce27d04adfb7da4
SHA2561f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385
SHA5120cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3
-
Filesize
2.6MB
MD54799716ce306afc8b5e3191497749ec0
SHA165d9c573dc86b42a759b9366fcab2a0684032149
SHA256fdf7b30191b5665d26f0c1e8227767986f988951b9dec8243d10f01de9777eab
SHA5124d0c050f1fd9fd71374d9321cddbf6a898f6fe24766771a24eee13fda1b7131f428035d6cb110b1cdaf83222780bac01e501aecf2c0071888179f13e5c989e9a
-
Filesize
2.6MB
MD53e948c2ef9ab67ba841d1e91a38135ea
SHA176b766a449d5fd51a086778ef03cf8e2301088ed
SHA25679caf06003d61775282b0058ef80e4392553dda4a42d3ada32d121da406a2e85
SHA51258e63cca90a53d09a15b3c9fccef9ce938b0f59e7881288d16fe96a06ba460c53943d1bc08429012a38ea2c2e078382a54c7ba94ae6282ec97b37d64401f6e6d
-
Filesize
205B
MD58d0cfb4d58fde24c07ac4da2cfd5d5c9
SHA17651913a4422b1558a71fad26f3f21caf7b5f5b0
SHA2566d6c15e7fb80cbc6cb34fd4df91344d20da9950e7805e37ba6ea31cee5c5ef43
SHA512a2d6a78d7355026d4204dd32cad24e10a1874b1f377d2b55d8b5c4b599c04d6a148c794f5cb9553acdf68428b41d4d04bf80cec7f29aa91b226342e8c001c011
-
Filesize
173B
MD531901043fbc8afaf8e91de9caf068c1e
SHA154e98ada0715d01ad9beba3250c1991de5563f29
SHA256c4ab7b31a9675d3f54b04d90a334e47423afa47a89a4642a91a52cf8232c2ac1
SHA512450b033310d6d40a26dfce0fc26c38e91a603b295d8003ee1b6da47feeb7191795ba792088e86022fc9ee04ce459d882b493020edaa46739f4d6984c37fa2ea4
-
Filesize
2.6MB
MD51101943adb9bb7b4175d672006d91b1c
SHA183056904247dca68d54b39752dec20b3d86865cb
SHA256bac8cf6c5c162fa0da8f6397dad2428675a8a804e373701076f36f828100d0b5
SHA512ef8fdeb5444baca1590b60020844ee937ea96c47008d8615cf099ec82444e0c0f29ebc6f1167f029ca70c155acea4b954ba6320fad7f1da9a603272f534e92cb