Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 16:31

General

  • Target

    939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

  • Size

    2.6MB

  • MD5

    6bb121390b50fdb90586cac15271ae90

  • SHA1

    fe9c4b5178f8342590fbff83dc3d79c157f73cac

  • SHA256

    939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2

  • SHA512

    26ce65865a1cd704f93357cfabd6593f2b5299b7a822f04967f945e783414469f863795264c362afc06112422d84012db63630704f01fd5375097da1dad38173

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
    "C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1756
    • C:\UserDotL3\xoptisys.exe
      C:\UserDotL3\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotL3\xoptisys.exe

    Filesize

    1.3MB

    MD5

    f23f783b84613e71ade11546a7133d4d

    SHA1

    feca22373228b0cc41bd590a1b1f84e80108d765

    SHA256

    06b8bfd54195e8e505e46c186f48ba17457d28f3e57f612f54f419c2889eba08

    SHA512

    be28721bbd2fc778ec6ca2e6cc15ef973f65e167c6149b158bcdcb7e12bacbf69231251fae7d47c7bd13d20e8141616c3864b08593f79f029f1b8fc5cbab39f6

  • C:\UserDotL3\xoptisys.exe

    Filesize

    2.6MB

    MD5

    f304bc410d6661724de5a7f52cb74963

    SHA1

    0a80096df4a560cdb997be13e8feea0755b118f6

    SHA256

    6632b3d55b9e4659c058db64c969390f5225422a1f9f73c20b49c9203a2a8c18

    SHA512

    5f444efb9b858a8f65bcf0ff33b13217a27c861d8c0aaf0ddcc74459be9f26dbe7bcbacbf4f214506cca862c9ed8635740d8ed89b1cfa8931c765d3793487aa2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    83a03821b1431c679a0d1fb12e7cb832

    SHA1

    b3226fc224cd3de7274b7539bd87adab3f5d8e76

    SHA256

    bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da

    SHA512

    f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    b1b6d37877b97fabd382d4793edf0ee2

    SHA1

    bfc4d89f43864bf4b898106e57979971abd00f05

    SHA256

    a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7

    SHA512

    70415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    b54ae3e8da6510c6ae3f78c14b6e9bb4

    SHA1

    20fd2aea37df7a260a58da43fe0768002211868b

    SHA256

    f05b797a412a18f4b16768a0c3fcb870d6c02ce85561afa9f25bcf90d06134e1

    SHA512

    9cfc52b28c3c2be4a4534e7bfe5d6e2ffc3aaf7d7647b35f8cedecf6bbe917588581feaa66dbffd970e053e5dd44177c0bc57469fcac727ce5f48e19ef56601c

  • C:\VidHY\bodaloc.exe

    Filesize

    233KB

    MD5

    a386fa70a60703f9ae0d622acc3c8907

    SHA1

    5fffb3a9230bdf11760be8e0c4299d1634a66f07

    SHA256

    03209a12396042fedc26982b31a0ef7281ab59fb496f727a0aa7ac2319eef92f

    SHA512

    c7dddaf2923f6271268d6212cd1c5b97b506dfbcead814b793d5b6de27bb55007ad0c84d5f49228e84d7d98a0f37274350496ef12a22458f6fe59659c3aefb0a

  • C:\VidHY\bodaloc.exe

    Filesize

    813KB

    MD5

    f9cb8a8b1a165c7c775f3e533d12cf07

    SHA1

    fa5f4400ced394afd160a40f6ae547a5c1c70960

    SHA256

    c583ebcb83a3319121aeb9297a09ed915ecd944c4d8e78b3b124f72fa8eca788

    SHA512

    031b9fe037852c55edeee6d6300ce290f124318dfe1246423bbdebdec940114ad99e5cf843ef9a43b14c50b451032c9b6df689432de9d2cec897bc7dab6b6b53