Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Resource
win10v2004-20241007-en
General
-
Target
939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
-
Size
2.6MB
-
MD5
6bb121390b50fdb90586cac15271ae90
-
SHA1
fe9c4b5178f8342590fbff83dc3d79c157f73cac
-
SHA256
939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2
-
SHA512
26ce65865a1cd704f93357cfabd6593f2b5299b7a822f04967f945e783414469f863795264c362afc06112422d84012db63630704f01fd5375097da1dad38173
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe -
Executes dropped EXE 2 IoCs
pid Process 1756 locadob.exe 2940 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotL3\\xoptisys.exe" 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHY\\bodaloc.exe" 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe 1756 locadob.exe 1756 locadob.exe 2940 xoptisys.exe 2940 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1756 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 86 PID 4060 wrote to memory of 1756 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 86 PID 4060 wrote to memory of 1756 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 86 PID 4060 wrote to memory of 2940 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 87 PID 4060 wrote to memory of 2940 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 87 PID 4060 wrote to memory of 2940 4060 939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe"C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\UserDotL3\xoptisys.exeC:\UserDotL3\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f23f783b84613e71ade11546a7133d4d
SHA1feca22373228b0cc41bd590a1b1f84e80108d765
SHA25606b8bfd54195e8e505e46c186f48ba17457d28f3e57f612f54f419c2889eba08
SHA512be28721bbd2fc778ec6ca2e6cc15ef973f65e167c6149b158bcdcb7e12bacbf69231251fae7d47c7bd13d20e8141616c3864b08593f79f029f1b8fc5cbab39f6
-
Filesize
2.6MB
MD5f304bc410d6661724de5a7f52cb74963
SHA10a80096df4a560cdb997be13e8feea0755b118f6
SHA2566632b3d55b9e4659c058db64c969390f5225422a1f9f73c20b49c9203a2a8c18
SHA5125f444efb9b858a8f65bcf0ff33b13217a27c861d8c0aaf0ddcc74459be9f26dbe7bcbacbf4f214506cca862c9ed8635740d8ed89b1cfa8931c765d3793487aa2
-
Filesize
202B
MD583a03821b1431c679a0d1fb12e7cb832
SHA1b3226fc224cd3de7274b7539bd87adab3f5d8e76
SHA256bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da
SHA512f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18
-
Filesize
170B
MD5b1b6d37877b97fabd382d4793edf0ee2
SHA1bfc4d89f43864bf4b898106e57979971abd00f05
SHA256a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7
SHA51270415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51
-
Filesize
2.6MB
MD5b54ae3e8da6510c6ae3f78c14b6e9bb4
SHA120fd2aea37df7a260a58da43fe0768002211868b
SHA256f05b797a412a18f4b16768a0c3fcb870d6c02ce85561afa9f25bcf90d06134e1
SHA5129cfc52b28c3c2be4a4534e7bfe5d6e2ffc3aaf7d7647b35f8cedecf6bbe917588581feaa66dbffd970e053e5dd44177c0bc57469fcac727ce5f48e19ef56601c
-
Filesize
233KB
MD5a386fa70a60703f9ae0d622acc3c8907
SHA15fffb3a9230bdf11760be8e0c4299d1634a66f07
SHA25603209a12396042fedc26982b31a0ef7281ab59fb496f727a0aa7ac2319eef92f
SHA512c7dddaf2923f6271268d6212cd1c5b97b506dfbcead814b793d5b6de27bb55007ad0c84d5f49228e84d7d98a0f37274350496ef12a22458f6fe59659c3aefb0a
-
Filesize
813KB
MD5f9cb8a8b1a165c7c775f3e533d12cf07
SHA1fa5f4400ced394afd160a40f6ae547a5c1c70960
SHA256c583ebcb83a3319121aeb9297a09ed915ecd944c4d8e78b3b124f72fa8eca788
SHA512031b9fe037852c55edeee6d6300ce290f124318dfe1246423bbdebdec940114ad99e5cf843ef9a43b14c50b451032c9b6df689432de9d2cec897bc7dab6b6b53