Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:58

General

  • Target

    ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe

  • Size

    2.6MB

  • MD5

    15b92c89120936bf3cc7d30ee468c240

  • SHA1

    2a5257b404586fe1af8e3007d9d8a1f68b7c39cf

  • SHA256

    ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236f

  • SHA512

    e72bc15f713f675b5319dfde96366b90c13e1d3d0aaefb6a8f9ca0a91f99d9e7f003b76d9f0a0913685998de460fda9e936f2161baf1e43a1227856d8134f425

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
    "C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2888
    • C:\IntelprocWQ\xdobloc.exe
      C:\IntelprocWQ\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocWQ\xdobloc.exe

    Filesize

    2.6MB

    MD5

    b3cdfdddc4924c3980a844dba91b7965

    SHA1

    db5b5c0e57a7b2aad7c08eaa98c524556e66db59

    SHA256

    020ba59ec97ab174829428f81b09697e3c189673887ae16596ea0c66031533a3

    SHA512

    03d2610fdedfbd530c6587ff6aa61d488c742b1f5e06709fd4214b340206e34aec9d71fb56794576e7e3da7227b6fef91561c759481d9c90f43caef7831436dd

  • C:\MintIS\optiasys.exe

    Filesize

    2.6MB

    MD5

    316445b2efca97fb1f7fba529ff72de0

    SHA1

    81945f11cbf2baef52ec172f179fa43618ba3a8c

    SHA256

    b7b704b22cd97e3ead48ade11b81b13ed6c51c61ba66cf9d6bf735fc1bcf52fe

    SHA512

    374a26346234699bd19628006b8251d8f33971f251bfad343fceefcfefccee54a677656c3a4cceb9d49b8bd8fa2a4c60ace009e10876af012e2ea4de5dc9c638

  • C:\MintIS\optiasys.exe

    Filesize

    2.6MB

    MD5

    44e2cfa25c86ead731a8273f9cf975c5

    SHA1

    9ad41bc40a6c4fc5df0aa623d1604646a43e0eab

    SHA256

    21a8ef39ea8dc18c5f704b055b2d3cc705bb5e4a4ac5e1f56fc2b11aa86638d9

    SHA512

    7a32e0873e72f901f26c6029398c48952d4486c1268ad52b1463af843114d66fe00061ac44257c82fa30878cf01f450efcbbf85ca6727e4a8ecd045ff17d9785

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    be52d496898e17064f24240b56ed9631

    SHA1

    bf78736f6d793cace9704ffdd8282eeed3ca2709

    SHA256

    67f8ec9ac7d25942577ca7fe197c5cbe17329f35bb4035f66a61c2b5a37d59b1

    SHA512

    0b3cc740f6754964d24ccfef936ad070062549ff2cb21a0e4731bc985229887f6900d0d0b6f90884694a32b56fe58cac7d853317e969a57aac1da097d1141d7c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    2e229de393f6dc3f4bfd48dbf596ea00

    SHA1

    88ee8fd696bc9b6065edd0905b7aa5d5f0b536a2

    SHA256

    1eb5d2637c6bc66e98b6544c209722e2a3eb851daaa4016daca99807961da5bf

    SHA512

    d3581ebf1a8734231100c112d9f9f69423d1d4dacb8c35f888a33257a34852dd0ca6a20f8a4050549bd0330187aea82e7e9a8c5f298b6dd646c18807c648fbce

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    780ccad667ea0144ec02dc0ec0859238

    SHA1

    befeb186efd063930cbaab8c35555c22fb90bbe3

    SHA256

    a2be7d3a3c049df2b745be6519a9dd70c532aa7ab80b08befb579aa8a60d5227

    SHA512

    92f6a1af6e3361d6636cabf1c0403e2ab75b9abed715c5dda9fe6993bda63339934b37eedfc2d2b9db2587c4199ceb45245d51a563b205c32d0b32cd021ce8ca