Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Resource
win10v2004-20240802-en
General
-
Target
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
-
Size
2.6MB
-
MD5
d73dbc077f643acecf9182e2d6ea0f00
-
SHA1
2b0caeb79eeb5e4becb6cbea14d2e0868c6f288c
-
SHA256
467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6
-
SHA512
3cce366c4584ede5c2ee6c950c6f29912ccc1bdabf9d74d0ad6546dbb67216b3ee1b1cb7f914537e654e2d613068abc9609e8233c28e57e07daca35487ab0ad4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe -
Executes dropped EXE 2 IoCs
pid Process 1516 ecdevdob.exe 1596 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintF6\\bodasys.exe" 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv13\\xoptiec.exe" 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe 1516 ecdevdob.exe 1516 ecdevdob.exe 1596 xoptiec.exe 1596 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1516 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 82 PID 3164 wrote to memory of 1516 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 82 PID 3164 wrote to memory of 1516 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 82 PID 3164 wrote to memory of 1596 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 83 PID 3164 wrote to memory of 1596 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 83 PID 3164 wrote to memory of 1596 3164 467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\SysDrv13\xoptiec.exeC:\SysDrv13\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57792755b0c295158a8a634fcacfabb2b
SHA175b38835ff0c1355ad163c21939b236c8ff19597
SHA2569d986e67768b0ca49b7b69366a7395039e7aa73ac3335803eccf1ae64735809d
SHA512445a850a47eb9e824d28a59a9b9c46cc4f1bd57b99255f34889f7c1bee70149afd255d181571c407f6bc014c7cd48cee350ae52c11dbb3aa5486c024913392ef
-
Filesize
1.2MB
MD508b2b25a0d9856d07efa87a8b5e81a47
SHA1124b117daeeb90572e543b51b50d2cf19c9a1588
SHA256b388f95b70ba9ca06497bd00b1544a00d543a173ffbf0ed72e36dbd754829836
SHA5125935ca74fd68355fe180b5791864baf42d7a52f7332fd58d9964247d3fd6884f984b55f9e4f73a5fd1b0259e0ef6e32322e94a6a4417a345d9ffb5f8bbb86665
-
Filesize
2.6MB
MD5e479ea1bf6846711c90c63bfbd667726
SHA1e6856d6bf6b604c67a9bf44ade70bfecb11df0ef
SHA256d1a0f6cb915c8add16cf0d9359701c2dcf6d6734afb8405f610a872919113077
SHA512a7ff5ac8485b6a4b0f16cca926bb1bf37e4e297e3237da3fff0b6fcde6204d722692a5ec850aa53d06411d554d0205681e593cc614e61b15bd7f6abc7f2e67bb
-
Filesize
202B
MD5086faf0dcd1021213be470f97912604a
SHA11eeb32386f859e906c1f4af19aaff1bfc935bcc3
SHA256e9d0677fa1f911ab21d68adab2a8804fe301f82a9fef657c9464041f8ae5b624
SHA512a7bd37c568c704fb934b1bcb61ed5518f20249eb2f8d09d9df99ec416f056ef6e504fb20cc0db45cd901252c107574cc522ded8c3e14c115179b3dc66c0737b4
-
Filesize
170B
MD5b59076a632040feca385b9f50c2e0bf1
SHA1e7d7d76c63349352297f787cdee6b765a2a2d489
SHA2566d893b434aa2e4bd280760e2c3bca939a0900ca84caddfa3325d39759dffb4c6
SHA512ed434da2233d44a3b24cdf87d372032a731eaf192d35cb60ca525bbdcbfae04df03aa2976d9a2ded349c4beba02147abcdee0309cd0d66e3c040ed8288b22887
-
Filesize
2.6MB
MD5eed531c14c2e39c8a28091946e4f80e0
SHA1abfc9d685ba6ee764bc4f3dd090303cf3e0853d5
SHA256178ab44ba7f7af702056ee7a02524cef1a8a49cf24e951efc10441c5a2d95544
SHA512ca3c9c3279337c8106b9863048b10978d11dac5ff4be0476187df61a2569e2fbd426d18c179b849ca4ca06ceb47d6c4147515cd1740ddd4963cbb57579d4a944