Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
Resource
win10v2004-20241007-en
General
-
Target
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
-
Size
3.0MB
-
MD5
edce5e8f6066b92a75b75e4557bbeba0
-
SHA1
48210915c6733c5f287d8cc027e8d7c413cfb25a
-
SHA256
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0cee
-
SHA512
8917446eb045bec32ee7befa337934f3ff3fb151a5bc5bae664fc86a6159fb0b0946bffb70a07c2f60f883278270d8e1341fe7abed667f3dd618c13ae3aedd81
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe -
Executes dropped EXE 2 IoCs
pid Process 5012 ecxopti.exe 3096 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAN\\xoptisys.exe" 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7R\\optialoc.exe" 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe 5012 ecxopti.exe 5012 ecxopti.exe 3096 xoptisys.exe 3096 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3432 wrote to memory of 5012 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 88 PID 3432 wrote to memory of 5012 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 88 PID 3432 wrote to memory of 5012 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 88 PID 3432 wrote to memory of 3096 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 89 PID 3432 wrote to memory of 3096 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 89 PID 3432 wrote to memory of 3096 3432 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\UserDotAN\xoptisys.exeC:\UserDotAN\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5884f40695dd45f26c5aeddbf4a3c052d
SHA1a6751b783a6ac8739325b863f6c7843b883539cf
SHA256054bf27eff014ad4b952a50cd53fd6a5ec9ffb49ecb8f8c372633f4d008bb450
SHA512659b493d1da230610a88de2938f2b73251df604f8e9f9840b51c5c9df040fe66b3cb786a5730715501f3cf044a331a213543645e95a70d1bb3015d3b3baa54d7
-
Filesize
13KB
MD5010abc54ad22b0097656874fb22a7154
SHA145bdf3c1248bfa8c3561f645584b422b09487bfd
SHA256705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633
SHA512fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545
-
Filesize
3.0MB
MD50c53f1b85de1701f3428a7637c39d5e0
SHA1cf4aa23711763d53e6ef56fdcf5e8ae83456cadd
SHA256808a886c3a350b7416c102d6a213ef6983fdb2c78e1599b2055bb0cceb5628b5
SHA51230e94f0c1b006ce7bf437be7aa28c6b08a4eea724f1f5ad903893edc0ff077a4347da3710e49ae9e7e08ab35995c30f035e7c0868fa4153ef08caa2bb48825a2
-
Filesize
204B
MD554a4672e73477409a092df5ed582968a
SHA18e885ed6ae5df5041ed0df5ce81d66f87ad7c8b5
SHA2569642e240767d603d56816dea2943e7ecf4ded98891b50512001ae8c23050f58d
SHA5125ff2152070d17cac4ecb5d43b5330f140edddefadbdfcca9f1cfee97adec7a3d8d389ae17779ad51014373955aa2d9b7e3c88571d3c615d55fb8eec546994fe6
-
Filesize
172B
MD5690222265851bcdc6e37806892ff5067
SHA13af3bb007f117ddd3b78a41139ccc67ee3e5e920
SHA256b86603b68ac91ceee63f099942f1b84c82f7f903dafd8e47a49c9dd7dbac8ef5
SHA512aa5f1869ec952a1e2cdc972bc3b116394dfd4ef9ef0034c0b17c49bd21c1a35165b857a082266dfeb10122e292c1146a9dc43f4111f506f6eb302030de832e00
-
Filesize
3.0MB
MD5cb878078b21f1fd0de9d2894d931049b
SHA1288a75c82e8639ddedb88367f6220e51897e3750
SHA256a8035ed32a9851c3daddef20d6117b9d195020c370ba4520cf73879f05cab8d6
SHA5129636a681574911cbd871c660b12c65320b63218b07299fddc4f94decc6bb61db2ac29b88ca657d461ce0a1609487d376f8689b9a2e435c93a46faf83bad5c21d