Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
Resource
win10v2004-20241007-en
General
-
Target
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
-
Size
2.6MB
-
MD5
e7b4c7419fe3b6abef29abf8b4158d76
-
SHA1
7ded70c2b2421e82b5a97e61515d8ebe72028d91
-
SHA256
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c
-
SHA512
586387b7bc3e3fc0f901616a372cf6c64bd3eba5943914427199b514ff749bc941ef31053210d76d28dad64c22e0c0954dce325f5338cd367351e3fa1f3bcb74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 ecaopti.exe 2168 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD7\\abodec.exe" 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid35\\dobxec.exe" 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe 2080 ecaopti.exe 2168 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2080 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 30 PID 2200 wrote to memory of 2080 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 30 PID 2200 wrote to memory of 2080 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 30 PID 2200 wrote to memory of 2080 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 30 PID 2200 wrote to memory of 2168 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 32 PID 2200 wrote to memory of 2168 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 32 PID 2200 wrote to memory of 2168 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 32 PID 2200 wrote to memory of 2168 2200 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\FilesD7\abodec.exeC:\FilesD7\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c7f8f576a441c0a7e48b356c98f8d922
SHA1009e7b6a151411a2b9efa98d14fce160d69779fa
SHA25690c6590720caad565d2584f86a36db9680104c2091ffb69a7ba8e9b6e8a3016b
SHA512fd7201b7b8527061ac804fc73c93ed4f02347e1d54f950975fd442c4828bfa32da0d4b3cd705d96378464e238a027dbabbc48cf774a2a4ffcfb0ee214c9c4c0a
-
Filesize
165B
MD5928e51fbd1d112d66f0e61f3ef22763d
SHA1581571dfe027d3437557da1540efccfab3727503
SHA2561ad3abad421f2b3e9c98107c35edbd280038b07c8b33d09a0c1d93784bd699bf
SHA512aa24ae04d448f6cc5a5852c5c42a538c15c421c715e7811fa39c78999126f45c6d0d9ef76579ddecafef847a7851921faf2723a754d1bbc80011efc6a88a8916
-
Filesize
197B
MD5b47a9e5d87a05f5b2e063a0e02815264
SHA17499dd5a54964ccf62ae912435e7c25a18a82726
SHA256d6c4e7aba22485f8e9749b44d3d39246ffb381b4f4f389aaa29853fc335e9183
SHA512161370aa51cfd6795bddd7723a5eec6f62b05ce08100a3d0f1065e31776e897e51ee87f1a13cee2b04538dfcc7c1cca84cac2e2ed1791c00fb11009f73e6320e
-
Filesize
2.6MB
MD5f0a8bb6ddf75b7386e58ee0a8e8b39bd
SHA142c03117e5152f43d21824bfa6e9ddc0ef49d3c6
SHA256bf23db7c9dce8b4feba341a51b61b65de084dd00493e9ea76f792ca8fa4b35f3
SHA512a223777826c1dea7d0f500b8ed64d22a2c3c7042fe3e62d3db8c6691aea68094bb4c1eb7ad0bc6087e6198fdeb8e71f32a9872a1155846588b9c86df524d94ef
-
Filesize
2.6MB
MD54c38a90d6af908639dd94778844cff10
SHA1d37b67266b711a57b755e269d7202c100ff2a1a7
SHA256d6b4251701cb862d70ed189783f023267af64b0a26e1ddb36876fb6e96b8922e
SHA512208f0074e0bd2e94eeaeeaf51efa6d7a2cdc791f044071a5d1dbcb5250cb529906eb9e36de79bf8dab70bd126515dc33dfbb963c0443140d7db4af887d4eba2c
-
Filesize
2.6MB
MD547704bb52d7290328c42680f8eda6b64
SHA193a2bba13ee20d505c1111cc7f55da10c83749b1
SHA2569defb65c7143be6ab09f2a4d8d70060bff42343d65c5666f13b49e9107d16315
SHA5123992525bf949e8934cc89f522660d49eadb1a2d3e432193967c72186725fb87f557aa6d84d58a4380d046c4774b799f75b3094468722632524fa07a2c6328e89