Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
Resource
win10v2004-20241007-en
General
-
Target
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
-
Size
3.0MB
-
MD5
edce5e8f6066b92a75b75e4557bbeba0
-
SHA1
48210915c6733c5f287d8cc027e8d7c413cfb25a
-
SHA256
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0cee
-
SHA512
8917446eb045bec32ee7befa337934f3ff3fb151a5bc5bae664fc86a6159fb0b0946bffb70a07c2f60f883278270d8e1341fe7abed667f3dd618c13ae3aedd81
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe -
Executes dropped EXE 2 IoCs
pid Process 2328 sysdevbod.exe 3008 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFQ\\aoptisys.exe" 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIG\\bodasys.exe" 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe 2328 sysdevbod.exe 3008 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2328 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 31 PID 2100 wrote to memory of 2328 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 31 PID 2100 wrote to memory of 2328 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 31 PID 2100 wrote to memory of 2328 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 31 PID 2100 wrote to memory of 3008 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 32 PID 2100 wrote to memory of 3008 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 32 PID 2100 wrote to memory of 3008 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 32 PID 2100 wrote to memory of 3008 2100 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\FilesFQ\aoptisys.exeC:\FilesFQ\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5bcd1603bae8c525072a48b859b09243a
SHA166251caf8c43c2692e5ea18d32e78dc57cc347f5
SHA2566190a418c908778e98a5e94f361fa675266f67ea4b6cc5245af3986ee4bb4aa1
SHA512d6e90c5a3ea825479fd8ecf4c042bc6a3ba476fe9eb1e1c773688282e3cb32ab9927d7795ba68eb464f5943de5cde9c569ed673f3358f1bc934d438cf9403024
-
Filesize
1.7MB
MD56e0372fe85c74e911b5e15b4502c6916
SHA1d16cd52c38301c7b423ffe3b9e4d85669aa04705
SHA2567d0ccb0f34193316f3f0e3774cc9e253090a60155db2b5d8539bdf62a808e293
SHA5121dd89567778107a0bfe6504434045adf56adf6af6c290bff9a38464ae15aa69b2be629f8bf876adadd40582e4138b0b8e3c0a3b96a930105f2b9a8ae2b9feb53
-
Filesize
3.0MB
MD502a68bc7443c0cddee73b388f31c5dfc
SHA13e791b36457202b6fe4fd0a0fe69a86133a491c5
SHA25693e3fbec605c9013792a61e8c3966b08f70f403ef9cda6f06a530c3c0fade696
SHA512a725766449546b045a10fd0d00e54049b9464de3fd7c94243ce8f0132ee2be8fa79abed8ee48c3d0aef02d9c8b00af1571c68704c3c7f5bcb3a1a4ee6b34be66
-
Filesize
171B
MD5cedfe78d9060f90e9026ab36bee01d66
SHA15e721a36585250980602b6d635058aa7a1873f19
SHA2568af86d6afa0509bbf23bb25c64664f0907a71af247bb68dcdba58a2e16208bb9
SHA512668ab55028c47c61ceb441f673eb731c0cb2538e34fea62156e958770c5061c688ba44c0523d936a8308bab637075d4331191621d332512d2ce57e2e9320d90f
-
Filesize
203B
MD55da4702dab34cdb5584cc8157d7cc72d
SHA1170465417fb4d989eee32bd9b7d30b0be836adf6
SHA25605fea5f93fef3366218eacfe1574daa937413261fac2cf63e3bd038b343d21c2
SHA51212d7a9531e25b10d3c0c3ebc5543d9a817e6838874186fe8073ae73daefc66fdc4f7d47861449674259c8ca8d8d4984dd4badcc8257f589c4f32505165199010
-
Filesize
3.0MB
MD5d5ad9b4b7bc6e189d02eb26961d70243
SHA17bd32e8ce0888f243e42b296cd0062bd5a98e7bc
SHA2564a57fcc9b2158ca35e7c76c08ff8095d11ee9ab23f4562073b709eeb5b9784fc
SHA51264cf1334a8b98ba3332e61b0c8b5898dcfc2878e14f0b91658e031efebd53492a65574c5f631aaddb5a7a3a2a74e088ce411dac67986a6e86981bf63112ea6e6