Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:58
Static task
static1
Behavioral task
behavioral1
Sample
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
Resource
win10v2004-20241007-en
General
-
Target
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
-
Size
2.6MB
-
MD5
15b92c89120936bf3cc7d30ee468c240
-
SHA1
2a5257b404586fe1af8e3007d9d8a1f68b7c39cf
-
SHA256
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236f
-
SHA512
e72bc15f713f675b5319dfde96366b90c13e1d3d0aaefb6a8f9ca0a91f99d9e7f003b76d9f0a0913685998de460fda9e936f2161baf1e43a1227856d8134f425
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2888 ecdevdob.exe 2720 xdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\optiasys.exe" ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWQ\\xdobloc.exe" ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe 2888 ecdevdob.exe 2720 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2888 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 30 PID 2444 wrote to memory of 2888 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 30 PID 2444 wrote to memory of 2888 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 30 PID 2444 wrote to memory of 2888 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 30 PID 2444 wrote to memory of 2720 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 31 PID 2444 wrote to memory of 2720 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 31 PID 2444 wrote to memory of 2720 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 31 PID 2444 wrote to memory of 2720 2444 ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\IntelprocWQ\xdobloc.exeC:\IntelprocWQ\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b3cdfdddc4924c3980a844dba91b7965
SHA1db5b5c0e57a7b2aad7c08eaa98c524556e66db59
SHA256020ba59ec97ab174829428f81b09697e3c189673887ae16596ea0c66031533a3
SHA51203d2610fdedfbd530c6587ff6aa61d488c742b1f5e06709fd4214b340206e34aec9d71fb56794576e7e3da7227b6fef91561c759481d9c90f43caef7831436dd
-
Filesize
2.6MB
MD5316445b2efca97fb1f7fba529ff72de0
SHA181945f11cbf2baef52ec172f179fa43618ba3a8c
SHA256b7b704b22cd97e3ead48ade11b81b13ed6c51c61ba66cf9d6bf735fc1bcf52fe
SHA512374a26346234699bd19628006b8251d8f33971f251bfad343fceefcfefccee54a677656c3a4cceb9d49b8bd8fa2a4c60ace009e10876af012e2ea4de5dc9c638
-
Filesize
2.6MB
MD544e2cfa25c86ead731a8273f9cf975c5
SHA19ad41bc40a6c4fc5df0aa623d1604646a43e0eab
SHA25621a8ef39ea8dc18c5f704b055b2d3cc705bb5e4a4ac5e1f56fc2b11aa86638d9
SHA5127a32e0873e72f901f26c6029398c48952d4486c1268ad52b1463af843114d66fe00061ac44257c82fa30878cf01f450efcbbf85ca6727e4a8ecd045ff17d9785
-
Filesize
174B
MD5be52d496898e17064f24240b56ed9631
SHA1bf78736f6d793cace9704ffdd8282eeed3ca2709
SHA25667f8ec9ac7d25942577ca7fe197c5cbe17329f35bb4035f66a61c2b5a37d59b1
SHA5120b3cc740f6754964d24ccfef936ad070062549ff2cb21a0e4731bc985229887f6900d0d0b6f90884694a32b56fe58cac7d853317e969a57aac1da097d1141d7c
-
Filesize
206B
MD52e229de393f6dc3f4bfd48dbf596ea00
SHA188ee8fd696bc9b6065edd0905b7aa5d5f0b536a2
SHA2561eb5d2637c6bc66e98b6544c209722e2a3eb851daaa4016daca99807961da5bf
SHA512d3581ebf1a8734231100c112d9f9f69423d1d4dacb8c35f888a33257a34852dd0ca6a20f8a4050549bd0330187aea82e7e9a8c5f298b6dd646c18807c648fbce
-
Filesize
2.6MB
MD5780ccad667ea0144ec02dc0ec0859238
SHA1befeb186efd063930cbaab8c35555c22fb90bbe3
SHA256a2be7d3a3c049df2b745be6519a9dd70c532aa7ab80b08befb579aa8a60d5227
SHA51292f6a1af6e3361d6636cabf1c0403e2ab75b9abed715c5dda9fe6993bda63339934b37eedfc2d2b9db2587c4199ceb45245d51a563b205c32d0b32cd021ce8ca