Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:16

General

  • Target

    40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe

  • Size

    2.6MB

  • MD5

    e7b4c7419fe3b6abef29abf8b4158d76

  • SHA1

    7ded70c2b2421e82b5a97e61515d8ebe72028d91

  • SHA256

    40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c

  • SHA512

    586387b7bc3e3fc0f901616a372cf6c64bd3eba5943914427199b514ff749bc941ef31053210d76d28dad64c22e0c0954dce325f5338cd367351e3fa1f3bcb74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
    "C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1296
    • C:\UserDotLX\devdobloc.exe
      C:\UserDotLX\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZEC\optixsys.exe

    Filesize

    2.6MB

    MD5

    85b1c4d1f752a226debd7fb43c853b96

    SHA1

    88f87ce59d7ff1b6dc4616717babf6ee2c6cc0fe

    SHA256

    510b64b9e2cd6a06acded41609d538dcbf33f0ebf09dc594e0d1f3f2f85d91e6

    SHA512

    e06b5ba9c9eeaa49d32e9aed48d22e87fd9eab1ac50af2bea22b7e386f7e4773c772907a1d8496898e459236001c29406768fb34b4d9b9d6e460b465c36731dd

  • C:\LabZEC\optixsys.exe

    Filesize

    603KB

    MD5

    6eb07a56cc7b1f82a8460375d9a03f3f

    SHA1

    53b16784d04cb731e87fcb6ec2ea14dc53ab49ed

    SHA256

    20a8837dbb3ddfc0071f863cad93cf282d0395b2d8103a8fe8194dccbddc4245

    SHA512

    5a0a0f428e9207b6019d7a1d0953bdf43191b8eb0cb280670cf809fff082b5a3821f33fcd168a66338e9d16086c0b9f3742690ef5db4e0f66bd69550ab58f682

  • C:\UserDotLX\devdobloc.exe

    Filesize

    2.6MB

    MD5

    83daaeae6dd76ba6d4ed466dc7a6f5a2

    SHA1

    779ff48645068044d59ec1d06e512315345010d5

    SHA256

    bc80bbe40b1251cd8abeb06c3934d0aa90c6a8eb40824202a39f1de755ccb87e

    SHA512

    75f9a3ded7d8826a9bdf3c73a3f2a1ace1a0efe847bfd9f17ae748d58f1ce00fd4a93589361cb3a98da1678835a86ba257d2786dcba106369619750cb66d6975

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    db28aebc37103645f7a83d57e7d07902

    SHA1

    0b1b8704b176fb2ff70a6784d7b4e1a21bf798ff

    SHA256

    238abec2af50c3e96d9aac7d5855c21c57c326d449e8db7c5d7c3b791dc859ee

    SHA512

    b909ff905fcd17737459c1a77a3361f16be5077f6d1f23ff994825debfd11d9298fbea950bbc77576fc10b95480c906058e102dc358886f1da75851feeb7d2d6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    4d602bb0a7707030ac8c3509dfb9c7fc

    SHA1

    d50d8fa4d3560d37265cbba09b9c6ed552e06273

    SHA256

    d502fe8a30449ce13667b982330b576fc679169b900c332140e6f82719287240

    SHA512

    4c5a741d27a59c0bda0cc98b8ef41a9b869337e6ef5431ff892cd2839ebaaeecea11490f8dfa344ca523036ce14b5f1f024c3fa9fbc0e93040de61bf91b21111

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    8a5a6f7ca8bed35cb8efcc368f7af5ea

    SHA1

    6c5894f20220276f74601d4225b9a1b2fc1f9dac

    SHA256

    8f0bc24531895220d51dfd52b059a35394549755a43e581e49b0a423eb4beea6

    SHA512

    6a946ecdd4492a31156c2121e9f741c9b6f31d66578b9720bfa107a96fad5a9ae5dff60fc5c20f2d46a20b5145612daa438f318753dcaef537f01577e36b1f7a