Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 06:44

General

  • Target

    06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

  • Size

    2.6MB

  • MD5

    be671e439fe8d78e3d53f488acdf2990

  • SHA1

    c1e98eee250d1faac7d9b9c1047469ff1a1bded4

  • SHA256

    06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca

  • SHA512

    c87d75d42c2c10cd34f7085c3813b8959040f8083cd5563e3f1fce5995dd6e32df89fdccfa08c37060d986b4159ad7ad0145ec6aa8de7416d02f9784907976e8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUp5b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
    "C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:804
    • C:\IntelprocEB\xoptisys.exe
      C:\IntelprocEB\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocEB\xoptisys.exe

    Filesize

    2.6MB

    MD5

    64b993cfbbb6102a2e5a5da200cbeb46

    SHA1

    6ef2f0e7375eddd9f3edcc711e3afe341c08f23b

    SHA256

    d31fce45b64188fd3eaa2888e03eb0aaa852a07b6df6e1548164fe7b44b72097

    SHA512

    dfd438a534f020aa0071997c542550006b7c7155f643d6f83dd1999521cad5b581ecd64b7e9c5e3237069b65257b6b004a981c0b354b90686b2b1a9b60079215

  • C:\Mint68\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    e664766cc94ebee4b7721959b5d3373b

    SHA1

    232cced46d6e7dce723e6fa5da3753826bd87659

    SHA256

    3b917b2e35e878268c14f9e1e0ed88abd353fd71638cd11745f5126d3e0b9054

    SHA512

    1a716e7e6e6efdb3600e19da628a06879eb1db2d6117e78b8670c56cc413c642f4a9eba63ae1c6b4e62c2282b05178925c1eee572158e5fbb2a457e4b698c752

  • C:\Mint68\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    58778be421eec4c827dfc4f63c0ae86d

    SHA1

    a1827fea346b2103876f21686810dcd3b7cffde6

    SHA256

    c7a5a46551d510d84dce1d8155dd4c27e23e6d3fff11de8c980c925e35953a75

    SHA512

    78bb6bd59e737f4c0ea2bfe45f0fcd34d76988eeeab1ae3ebf9810df63fe3afd23e7d09a58aa7f862820dac555b45767e6d5a9ff17c25491cc424af483d72b7d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    4e250eea6d637519d06bd3ea2e364c82

    SHA1

    d77a819b2ceed516bda6b5d9e37bc9a1d986ba61

    SHA256

    c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd

    SHA512

    ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    df1cf93acef6bbb50eb9363516f2b378

    SHA1

    7cd95835b17875e0c0e39f3aaad16f759542bc9d

    SHA256

    3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1

    SHA512

    d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    89b3aa555df04835cf80d5727c2fc4d1

    SHA1

    03acefdb63d8b0f5e18ceadc99c2c5e75ec815ab

    SHA256

    27a1bc29b1fe5629948d71d09829caf2389fc22ee3068d6d8bbc4aae79ba54ec

    SHA512

    e32c9cf8ec3756fb3409e6452513a4c7a2c37e1f40b4dd92e27361434db4fe3f9b2c946a4d250d10fc74b85c7db139b386338222c4457e9d9c5f31fc738580a3