Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Resource
win10v2004-20241007-en
General
-
Target
0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
-
Size
2.6MB
-
MD5
bd49b46ba24fc504eaa1d96739c009e0
-
SHA1
701764bbec0e3cd74b1c025fd497c3476077f382
-
SHA256
0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1
-
SHA512
5f70f5ba4d83149211c0e670720707e841c6ef9a91957d65173e05e1e812758c4e7debb9d166eebc2cd94ed8a5a169bff8091c06dfa403a6a0f11d9dd2ba9e44
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe -
Executes dropped EXE 2 IoCs
pid Process 3800 sysdevopti.exe 3500 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBW\\devoptiloc.exe" 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxD9\\optidevsys.exe" 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe 3800 sysdevopti.exe 3800 sysdevopti.exe 3500 devoptiloc.exe 3500 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4172 wrote to memory of 3800 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 86 PID 4172 wrote to memory of 3800 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 86 PID 4172 wrote to memory of 3800 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 86 PID 4172 wrote to memory of 3500 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 87 PID 4172 wrote to memory of 3500 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 87 PID 4172 wrote to memory of 3500 4172 0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe"C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3800
-
-
C:\UserDotBW\devoptiloc.exeC:\UserDotBW\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5a7cc740a430934da04eb3f571c7a7cbd
SHA1fdeae034da43207075d42f4a951cc97226bb86a5
SHA2564de236c80eabd7946d61b52b416a00e992b4c2a42adb8677ee7dde52ef6405a4
SHA5124aa9c4081ddd749cdd515b11b97ea5f43783da85cbd44112e452455e150e4cced9f9e8a5d7bf009ab634978861ef82f6376e5f5c991436c9f9dcf37c0d3c37f5
-
Filesize
2.6MB
MD57e705ced0d9357cc86f15d634421ecaf
SHA131638b5b55161b47004c6a583b98d0804e062b76
SHA256bd0f8fc1cf7588ab5f531e36cd7b70191c6b48cd711e7de993b4a0cca34c2dcb
SHA512d28c9d6f434f1f8e3e630beeffbda0feefe7df0f5b3d30de1439ac196fca8899503e2456d11500f7b2f065abf03d2c549d7f6bcc0966944e7af38b70d608c07e
-
Filesize
177KB
MD5305ae6bd1e14b9d5fe4529c9526cbcd2
SHA1b27f323de9d7187f2f0404748582a0d8f7355b5b
SHA256af339106aa6e197389800858c1a2c7adaa21e0c29bec7a43fdf7ff2d1f37be2b
SHA5123c90a35ed844019bda1da1ed31320e7d55b697b6ae27c17efa0fd74e8a1daaf38cdc8bd9416008326a363cecc1ee076f0ad7f64310a574b656b418058ef3e3bf
-
Filesize
2.6MB
MD514681211e8077f75047beb5e49e6c8f8
SHA16342748a494ae5c1595aa182ebd2f276b036f253
SHA256ddc0b7c216473601767528ca243a3331399a0b1003408e6f1d13cdb5afa9ef26
SHA512d2b6cdfb0924bb663bd88f6f7f429cb36dc00a74c4922cae6054cb8199a5775397e05a8de117b66c76abe6ef285cffb69937ae90bcbb2a737aac089dfdede16e
-
Filesize
212B
MD5c57474348e8f6b85a392b7dc240857a1
SHA17895f59f9b3d4e6438c2ebcdae23cc969904983f
SHA256c950905b3b8d409c9baf6ecb4bb571212055cb5817af551a71818084d54637ce
SHA512c84615ff05f771006fcf5896917e24e4e56d6bfde34441c2db59b34e7589256c5ed947f1414ab64ebf26a3b84a45cdd86a186c29b965270e9b48cb17b7b3b4a6
-
Filesize
180B
MD517809bdce7c926b9996e2cd159c50a4d
SHA1bf1eb5c2b27bb53353c1be647d8e59d66d2a2c88
SHA2567c68c73df98ed731f6c122f830de863319e0f3ccc23f8bad5079f7423b8e0a96
SHA51230f52ad4d78beaa168a316534e73d8288c5e02012a1543b0489124a81876994e2490f249251965d4ddcb3de577c8bab1c0909cfba20bc0db75ad5687e0e93292
-
Filesize
2.6MB
MD504f02dc69ce51c51a5adcfa292367fff
SHA1d73f6dceb83225054a0a239bef426f40ee244e47
SHA2563de80a8ec2c30e979a9b60cedd881ea4225aad6744a4ce1970502a569766083a
SHA512bed8794e1cf3ece43fef7428ab5d35a6931fa2b4c7fa481add2c0ca2016f6a61b0d041d5bdd0cd88f1106db60608040414fc16dcb5424dcb10b04f570f7ba4aa