Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:41

General

  • Target

    479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe

  • Size

    2.6MB

  • MD5

    035c85560c8af559be938c50d86e133c

  • SHA1

    9fb24608f1c201b3c9aca3dc9218d5f90c3e0ada

  • SHA256

    479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25

  • SHA512

    0a6495cd0b7c2165ff8b37e3985ded95f92156fdf3fbef9138149a68f159e2ebacd79daac6e817a244ce2032380061be7b5b65b05668c4a8b9df1e86c37914ce

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
    "C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1544
    • C:\IntelprocSI\xoptiloc.exe
      C:\IntelprocSI\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocSI\xoptiloc.exe

    Filesize

    2.1MB

    MD5

    b56f9d07f4c9fb3754ddf88108663214

    SHA1

    360e04f68ba5da5cbe38954dd6cb56f1554f3fde

    SHA256

    0670f68791e51281df887008d31e211a8d4ac71533b6e6955e4816ab651ac12e

    SHA512

    b8f01b363afd87072a63a30ddf3a11685fbd1cdece93fa96f22f7a2cd59246e292161fa178841d3303c9e3f70f02ebaeabe09858e06d44ffdd9e187482f68b71

  • C:\IntelprocSI\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    e4eb3841ba70669aa886724e21e02e3f

    SHA1

    056b186437d71f6510b86269d66de26d5cb052cf

    SHA256

    fa4323e524d334ac1c942e62dcf13d44648eed98b28730b57164f26379dee77c

    SHA512

    39d29c4af26d7b4a50b3cb4b790436e56b932f449d84abee7ae13da5ac5b1ab3c5e77d99ed9cb8dc3f11204ce24db96434a8a8349888688644ea586b40706bc8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    38c20db17c1abae201930452dc5dabb7

    SHA1

    c754b208ed9faaba01e0dd147648123000fe8016

    SHA256

    95bd2ed2a0bb1138b66fe44340fd0b0e0a6eae7bd5011e178958992c2d11fb1d

    SHA512

    a272ae6c270e75d24e670c84e5d1f0311231bc2d5b73ecbdb60093a1b53d5e24e1a5220aaf90320502ce9d9519c93cfbbbe2e98f9c4c484c3f65e18443878773

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    810954374509b7f03e8f521aa4f8a234

    SHA1

    ff83e8660286e2e511dc991922b473a8e535a5f2

    SHA256

    359c57240bcbcbf18e82fcfd728cadb4b0ed047770181159fe154d1227f6a246

    SHA512

    3806e4c347af4f8ee1b9c8e09d71f6a99d8018417c459ff9bf466ce97adc05caee1f4d911569c52cf506fbb2090a98b611277e79a1e9a18a636cb9cd869358e2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    c85347494c2cd0d80f42176ca20f0988

    SHA1

    6f2c23879877867e1755a02cfbe9cb6403abba18

    SHA256

    54c8a0e6c982c187123fefb5416b6c7e94203df41030cf536d86ef365ec00a0d

    SHA512

    48fbe6e294fbb698aeb2ba6d6f5787c574840deba57823db45bc66527be0dcc8c268ffce1612a45ba4776d2ece9db6226f1f0fc8ad0c994b30e8e349b611718c

  • C:\VidPY\boddevsys.exe

    Filesize

    2.5MB

    MD5

    77d29b019f71378b15caf2f7c745cc54

    SHA1

    45d2a146ba50366c7816d449fce2484861a1e1cc

    SHA256

    e21be902820b19c0c4de53cd2d3702aae766faf51501d8bd7aae2a8fad63e7aa

    SHA512

    552ac2f96f94cea1e1ea6a429f525148d8404b51203cb2c4fd5f44e01dd00d85a6015379bbd37df2c309230bf5fbf8ca77b2f43024d8b77da93b8667047805e2

  • C:\VidPY\boddevsys.exe

    Filesize

    478KB

    MD5

    c63848866215c225285289a4cb925349

    SHA1

    bd26bbc7d160701fcf45dee8dc11b80cd9186713

    SHA256

    8992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56

    SHA512

    80389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74