Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
Resource
win10v2004-20241007-en
General
-
Target
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
-
Size
2.6MB
-
MD5
035c85560c8af559be938c50d86e133c
-
SHA1
9fb24608f1c201b3c9aca3dc9218d5f90c3e0ada
-
SHA256
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25
-
SHA512
0a6495cd0b7c2165ff8b37e3985ded95f92156fdf3fbef9138149a68f159e2ebacd79daac6e817a244ce2032380061be7b5b65b05668c4a8b9df1e86c37914ce
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe -
Executes dropped EXE 2 IoCs
pid Process 2712 locdevopti.exe 2908 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4B\\devoptisys.exe" 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQF\\optidevloc.exe" 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe 2712 locdevopti.exe 2908 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2712 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 30 PID 1992 wrote to memory of 2712 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 30 PID 1992 wrote to memory of 2712 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 30 PID 1992 wrote to memory of 2712 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 30 PID 1992 wrote to memory of 2908 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 31 PID 1992 wrote to memory of 2908 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 31 PID 1992 wrote to memory of 2908 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 31 PID 1992 wrote to memory of 2908 1992 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
-
C:\Adobe4B\devoptisys.exeC:\Adobe4B\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5765d7fd38dae4b678e9739774dccd5a9
SHA17927957224b1808bb95ae61a376e4290f5c51542
SHA25649979c354bfb76982060d8a08bb6dcc2b770a0a4557b75ba13a23d5fd86a827a
SHA512cbca945d7495050880a97f9312780501c2c5c1fb1044ebe6f004291f0dfdd6977fbb2ce4c821b45c45880a27d718ca74116dd8d3e64c7d7e8e9d5471e9516c15
-
Filesize
2.6MB
MD52ade6bcb611e62bd919afe5dd7b189fc
SHA11deb37d54da074be0643079627c7c01dc59647aa
SHA256ec30b070b09169a1284f775dae13e998864c6f97e4f3c4c41616996611d34973
SHA512fc2de3e405e967dac49e27dfcaa84fbf1eb56ffad997cbe97c1f9e686fa2b6de1823b7809310d225a227d96acf90796d9faa864fd847c8af71fecf9b3b59b923
-
Filesize
2.6MB
MD5c82b9d4b89c813e26710d004d0beb780
SHA16af8e77a166876419e46641c197a7ed61a7ffc06
SHA256fba6a53910b1afef0b8f8963676bb75edfb1559d167225d473eb42abef957355
SHA512e4b12f804818a82198adb388ef69722f1d0f96c8fe4e4b4bd7c86b91ad4f8031cdc2d7cd0853a73f03740e58d0a46ace851e4c807a46e8da4e8e03b6d6de01c1
-
Filesize
178B
MD5a59372e5223fef88832a9f2e239e9918
SHA1ebdfdfd57153aa68c236a69819fc7003835ff093
SHA25605e03bf3f3072ad2c0ebd7b32b2cd1baf905f50becef61f10ac8ffab92200352
SHA5129f695fbfb619a3312b9590327fe926c7674ebba3efab1bb2c7f2b5cb2a894e4ff976568fd5b52cfeb6a2b3f0e6ad01c3a7b9ca47f29d109d33fa7a777adcd49b
-
Filesize
210B
MD5422eca694fe480ab695db9bc9aa0e206
SHA18d551359f5a9b355f67524754463c155531a3ca5
SHA256b8ccebadaeae7789abd667117e20c054724d087a330c0d4d719546b1aa5b01df
SHA512fa5e91dbc0f297773a2863d2de470919978ae0e25292a363c4164924d77177a85d609675c54acc62adc822a06db33ef201f7c69d476b1a053f20a51955f04ccb
-
Filesize
2.6MB
MD5787397178b2f56995e45778a5954f4ea
SHA1385d61038a10f2c2ccecee73c00c8ac8e149d3de
SHA256e380324c51400ff27ad8f23fd5efbbca8b58b55f7f07b1f696412a881a0022e9
SHA512ae45201522929308bae4487dc4357e72a39f2b14f521d3be80d993380fb8f5a590d58f58e74b765884b308e1b8f10336d04f100e1333fd7423341ce23a2a0e2d