Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:03

General

  • Target

    618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe

  • Size

    3.0MB

  • MD5

    edce5e8f6066b92a75b75e4557bbeba0

  • SHA1

    48210915c6733c5f287d8cc027e8d7c413cfb25a

  • SHA256

    618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0cee

  • SHA512

    8917446eb045bec32ee7befa337934f3ff3fb151a5bc5bae664fc86a6159fb0b0946bffb70a07c2f60f883278270d8e1341fe7abed667f3dd618c13ae3aedd81

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
    "C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5012
    • C:\UserDotAN\xoptisys.exe
      C:\UserDotAN\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB7R\optialoc.exe

    Filesize

    1.5MB

    MD5

    884f40695dd45f26c5aeddbf4a3c052d

    SHA1

    a6751b783a6ac8739325b863f6c7843b883539cf

    SHA256

    054bf27eff014ad4b952a50cd53fd6a5ec9ffb49ecb8f8c372633f4d008bb450

    SHA512

    659b493d1da230610a88de2938f2b73251df604f8e9f9840b51c5c9df040fe66b3cb786a5730715501f3cf044a331a213543645e95a70d1bb3015d3b3baa54d7

  • C:\KaVB7R\optialoc.exe

    Filesize

    13KB

    MD5

    010abc54ad22b0097656874fb22a7154

    SHA1

    45bdf3c1248bfa8c3561f645584b422b09487bfd

    SHA256

    705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633

    SHA512

    fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545

  • C:\UserDotAN\xoptisys.exe

    Filesize

    3.0MB

    MD5

    0c53f1b85de1701f3428a7637c39d5e0

    SHA1

    cf4aa23711763d53e6ef56fdcf5e8ae83456cadd

    SHA256

    808a886c3a350b7416c102d6a213ef6983fdb2c78e1599b2055bb0cceb5628b5

    SHA512

    30e94f0c1b006ce7bf437be7aa28c6b08a4eea724f1f5ad903893edc0ff077a4347da3710e49ae9e7e08ab35995c30f035e7c0868fa4153ef08caa2bb48825a2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    54a4672e73477409a092df5ed582968a

    SHA1

    8e885ed6ae5df5041ed0df5ce81d66f87ad7c8b5

    SHA256

    9642e240767d603d56816dea2943e7ecf4ded98891b50512001ae8c23050f58d

    SHA512

    5ff2152070d17cac4ecb5d43b5330f140edddefadbdfcca9f1cfee97adec7a3d8d389ae17779ad51014373955aa2d9b7e3c88571d3c615d55fb8eec546994fe6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    690222265851bcdc6e37806892ff5067

    SHA1

    3af3bb007f117ddd3b78a41139ccc67ee3e5e920

    SHA256

    b86603b68ac91ceee63f099942f1b84c82f7f903dafd8e47a49c9dd7dbac8ef5

    SHA512

    aa5f1869ec952a1e2cdc972bc3b116394dfd4ef9ef0034c0b17c49bd21c1a35165b857a082266dfeb10122e292c1146a9dc43f4111f506f6eb302030de832e00

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.0MB

    MD5

    cb878078b21f1fd0de9d2894d931049b

    SHA1

    288a75c82e8639ddedb88367f6220e51897e3750

    SHA256

    a8035ed32a9851c3daddef20d6117b9d195020c370ba4520cf73879f05cab8d6

    SHA512

    9636a681574911cbd871c660b12c65320b63218b07299fddc4f94decc6bb61db2ac29b88ca657d461ce0a1609487d376f8689b9a2e435c93a46faf83bad5c21d