Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
Resource
win10v2004-20241007-en
General
-
Target
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe
-
Size
2.6MB
-
MD5
7bc9e1cb0a174fea59f5f782355b9ae8
-
SHA1
ff5fff09a26ae794d698938f3dd2d89625d5e990
-
SHA256
95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420
-
SHA512
e97cee50cfd69556d8cb57f7f3527f365920858f42fbcb862ad7167bc49a1c04fb459cb3ae2aa3d58fc1fa5d12842c3c8a884b28eb717a8a85f15681ed3d8997
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe -
Executes dropped EXE 2 IoCs
pid Process 1608 ecaopti.exe 2556 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN7\\xoptiec.exe" 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAR\\dobxloc.exe" 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe 1608 ecaopti.exe 1608 ecaopti.exe 2556 xoptiec.exe 2556 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1608 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 86 PID 1632 wrote to memory of 1608 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 86 PID 1632 wrote to memory of 1608 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 86 PID 1632 wrote to memory of 2556 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 87 PID 1632 wrote to memory of 2556 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 87 PID 1632 wrote to memory of 2556 1632 95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"C:\Users\Admin\AppData\Local\Temp\95c4938e5284161eaf9f28a27524bf5d8e7780d6a9415208219b3724445f3420.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\UserDotN7\xoptiec.exeC:\UserDotN7\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD550cef6318b69bd1222adfa6fcd7db3c1
SHA163048163e8b77137a7dae8106bda371061a750cf
SHA2564062a55ea1f3a26bba4efb5766efb92e5b62c95bc5e44460563d49a4869dae1c
SHA512e0648e179134b878a2076ed4e296b3f07f87b59e009486f6a1bd3887479c7e756013aadfa1101a4fe93658381b9df2a92e4316e9591182a0d1bc444cc03ebe4f
-
Filesize
491KB
MD55e574805ebaa167286873cafb970e7eb
SHA14960d5c57437a44fa924740cb88ddb42e7cb0db7
SHA2563084c3a554634d376f509a1815c4bf33a102158158290f29506d146e49c5946a
SHA512b83e9634e355bc991c4453888b11707c9f4a6d46f21c37ad49819e074495fd429ceccaad40122f3bc5245792c7c90879bdcadcee4bd0eef07a612a4cc9f6d93e
-
Filesize
141KB
MD5be7b0ad36ed71daead662c318184eefd
SHA1520c55c4b521daff99ec44ae83fa1502392b6410
SHA256f00a8620104217c331c20143981866ce4cf0160415882243ed8f13fb1aa1b3d1
SHA51279fc608445b774316e156725192046db7421b764bfdb279ad6501c1d58caca65099a0570d3ed21531c1553fc8ffa0a4ca04443e20b60126ec179fe2a402754ea
-
Filesize
2.6MB
MD5b8facc6b5a536290bc7bf86b3b06b2a1
SHA1ae9fadcab12819036c45dfc0398fc0ce1ae5ae1f
SHA2567d19b8076130d0b8d2850f8c230400c2ae8d1ff1dfb99114a3710d6e5a28f254
SHA5126446cf1167fad30a2d2bc97305851f335942ec94d79ab76d1ee0b2ff2936245cab8e76abad26ad2299b14784377e137462da12aec266cd257ffb8b668f64cbe3
-
Filesize
202B
MD537d13cab799b276d86f602425c2ede4c
SHA1035335de2094b409cfddc8ae007de5cd6e04aa27
SHA2569b1565c514240ff30d935b3079ac0daa1826bd73cde0b6bc40c2bd473d5626b6
SHA512506121f7e42f16998e1ae9d45418d3d4fad8b7c4c06265a24622748e8d6612e6ff1a2dd36417051c4787566a1a1d1acfbded9deb3e9711caf4a8b68bbed01b3a
-
Filesize
170B
MD5e90e370e9efdecbbdc9004cb44f130f4
SHA181f6c2b8475082749960e56b3e3be935cc01f4b1
SHA256ca6c95ce11688a56ea61c644c44c4330ce394fb1681230fff2fdb2e5ffd855ec
SHA51252e0f702bedb615d1f6c0ae6b4ae9a7e40d7847815dc7ceb9d0a5aabe22b1211453383f4b85c0cc7bb5cde242c329418a93ab49e2b3df57f02b538cde1b69fdd
-
Filesize
2.6MB
MD56d994f0f804bf79a5d74e0d65ed72102
SHA1c8534a7c32c63557c29fe2833f3f60d8b6cb77bf
SHA25613daec0331538e6982266bc4777b69b96f4df73de3b8aa2dbeba5be3e5ff8002
SHA512f2e02406b6852cc81ea5435af732c6bd064a25057ea068c83e37c82b3a43db73dd1481bb1d410f6c6af64744acc3c30bed0800a621bce7d1cef671fd48bba4a1