Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Resource
win10v2004-20241007-en
General
-
Target
06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
-
Size
2.6MB
-
MD5
be671e439fe8d78e3d53f488acdf2990
-
SHA1
c1e98eee250d1faac7d9b9c1047469ff1a1bded4
-
SHA256
06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca
-
SHA512
c87d75d42c2c10cd34f7085c3813b8959040f8083cd5563e3f1fce5995dd6e32df89fdccfa08c37060d986b4159ad7ad0145ec6aa8de7416d02f9784907976e8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUp5b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe -
Executes dropped EXE 2 IoCs
pid Process 804 ecdevbod.exe 1892 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe" 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe" 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe 804 ecdevbod.exe 1892 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1712 wrote to memory of 804 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 30 PID 1712 wrote to memory of 804 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 30 PID 1712 wrote to memory of 804 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 30 PID 1712 wrote to memory of 804 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 30 PID 1712 wrote to memory of 1892 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 31 PID 1712 wrote to memory of 1892 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 31 PID 1712 wrote to memory of 1892 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 31 PID 1712 wrote to memory of 1892 1712 06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe"C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
C:\IntelprocEB\xoptisys.exeC:\IntelprocEB\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD564b993cfbbb6102a2e5a5da200cbeb46
SHA16ef2f0e7375eddd9f3edcc711e3afe341c08f23b
SHA256d31fce45b64188fd3eaa2888e03eb0aaa852a07b6df6e1548164fe7b44b72097
SHA512dfd438a534f020aa0071997c542550006b7c7155f643d6f83dd1999521cad5b581ecd64b7e9c5e3237069b65257b6b004a981c0b354b90686b2b1a9b60079215
-
Filesize
2.6MB
MD5e664766cc94ebee4b7721959b5d3373b
SHA1232cced46d6e7dce723e6fa5da3753826bd87659
SHA2563b917b2e35e878268c14f9e1e0ed88abd353fd71638cd11745f5126d3e0b9054
SHA5121a716e7e6e6efdb3600e19da628a06879eb1db2d6117e78b8670c56cc413c642f4a9eba63ae1c6b4e62c2282b05178925c1eee572158e5fbb2a457e4b698c752
-
Filesize
2.6MB
MD558778be421eec4c827dfc4f63c0ae86d
SHA1a1827fea346b2103876f21686810dcd3b7cffde6
SHA256c7a5a46551d510d84dce1d8155dd4c27e23e6d3fff11de8c980c925e35953a75
SHA51278bb6bd59e737f4c0ea2bfe45f0fcd34d76988eeeab1ae3ebf9810df63fe3afd23e7d09a58aa7f862820dac555b45767e6d5a9ff17c25491cc424af483d72b7d
-
Filesize
176B
MD54e250eea6d637519d06bd3ea2e364c82
SHA1d77a819b2ceed516bda6b5d9e37bc9a1d986ba61
SHA256c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd
SHA512ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411
-
Filesize
208B
MD5df1cf93acef6bbb50eb9363516f2b378
SHA17cd95835b17875e0c0e39f3aaad16f759542bc9d
SHA2563294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1
SHA512d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77
-
Filesize
2.6MB
MD589b3aa555df04835cf80d5727c2fc4d1
SHA103acefdb63d8b0f5e18ceadc99c2c5e75ec815ab
SHA25627a1bc29b1fe5629948d71d09829caf2389fc22ee3068d6d8bbc4aae79ba54ec
SHA512e32c9cf8ec3756fb3409e6452513a4c7a2c37e1f40b4dd92e27361434db4fe3f9b2c946a4d250d10fc74b85c7db139b386338222c4457e9d9c5f31fc738580a3