Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:16

General

  • Target

    40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe

  • Size

    2.6MB

  • MD5

    e7b4c7419fe3b6abef29abf8b4158d76

  • SHA1

    7ded70c2b2421e82b5a97e61515d8ebe72028d91

  • SHA256

    40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c

  • SHA512

    586387b7bc3e3fc0f901616a372cf6c64bd3eba5943914427199b514ff749bc941ef31053210d76d28dad64c22e0c0954dce325f5338cd367351e3fa1f3bcb74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
    "C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2080
    • C:\FilesD7\abodec.exe
      C:\FilesD7\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesD7\abodec.exe

    Filesize

    2.6MB

    MD5

    c7f8f576a441c0a7e48b356c98f8d922

    SHA1

    009e7b6a151411a2b9efa98d14fce160d69779fa

    SHA256

    90c6590720caad565d2584f86a36db9680104c2091ffb69a7ba8e9b6e8a3016b

    SHA512

    fd7201b7b8527061ac804fc73c93ed4f02347e1d54f950975fd442c4828bfa32da0d4b3cd705d96378464e238a027dbabbc48cf774a2a4ffcfb0ee214c9c4c0a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    165B

    MD5

    928e51fbd1d112d66f0e61f3ef22763d

    SHA1

    581571dfe027d3437557da1540efccfab3727503

    SHA256

    1ad3abad421f2b3e9c98107c35edbd280038b07c8b33d09a0c1d93784bd699bf

    SHA512

    aa24ae04d448f6cc5a5852c5c42a538c15c421c715e7811fa39c78999126f45c6d0d9ef76579ddecafef847a7851921faf2723a754d1bbc80011efc6a88a8916

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    197B

    MD5

    b47a9e5d87a05f5b2e063a0e02815264

    SHA1

    7499dd5a54964ccf62ae912435e7c25a18a82726

    SHA256

    d6c4e7aba22485f8e9749b44d3d39246ffb381b4f4f389aaa29853fc335e9183

    SHA512

    161370aa51cfd6795bddd7723a5eec6f62b05ce08100a3d0f1065e31776e897e51ee87f1a13cee2b04538dfcc7c1cca84cac2e2ed1791c00fb11009f73e6320e

  • C:\Vid35\dobxec.exe

    Filesize

    2.6MB

    MD5

    f0a8bb6ddf75b7386e58ee0a8e8b39bd

    SHA1

    42c03117e5152f43d21824bfa6e9ddc0ef49d3c6

    SHA256

    bf23db7c9dce8b4feba341a51b61b65de084dd00493e9ea76f792ca8fa4b35f3

    SHA512

    a223777826c1dea7d0f500b8ed64d22a2c3c7042fe3e62d3db8c6691aea68094bb4c1eb7ad0bc6087e6198fdeb8e71f32a9872a1155846588b9c86df524d94ef

  • C:\Vid35\dobxec.exe

    Filesize

    2.6MB

    MD5

    4c38a90d6af908639dd94778844cff10

    SHA1

    d37b67266b711a57b755e269d7202c100ff2a1a7

    SHA256

    d6b4251701cb862d70ed189783f023267af64b0a26e1ddb36876fb6e96b8922e

    SHA512

    208f0074e0bd2e94eeaeeaf51efa6d7a2cdc791f044071a5d1dbcb5250cb529906eb9e36de79bf8dab70bd126515dc33dfbb963c0443140d7db4af887d4eba2c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    47704bb52d7290328c42680f8eda6b64

    SHA1

    93a2bba13ee20d505c1111cc7f55da10c83749b1

    SHA256

    9defb65c7143be6ab09f2a4d8d70060bff42343d65c5666f13b49e9107d16315

    SHA512

    3992525bf949e8934cc89f522660d49eadb1a2d3e432193967c72186725fb87f557aa6d84d58a4380d046c4774b799f75b3094468722632524fa07a2c6328e89