Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
Resource
win10v2004-20241007-en
General
-
Target
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
-
Size
2.6MB
-
MD5
035c85560c8af559be938c50d86e133c
-
SHA1
9fb24608f1c201b3c9aca3dc9218d5f90c3e0ada
-
SHA256
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25
-
SHA512
0a6495cd0b7c2165ff8b37e3985ded95f92156fdf3fbef9138149a68f159e2ebacd79daac6e817a244ce2032380061be7b5b65b05668c4a8b9df1e86c37914ce
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe -
Executes dropped EXE 2 IoCs
pid Process 1544 ecabod.exe 4628 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSI\\xoptiloc.exe" 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPY\\boddevsys.exe" 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe 1544 ecabod.exe 1544 ecabod.exe 4628 xoptiloc.exe 4628 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 904 wrote to memory of 1544 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 88 PID 904 wrote to memory of 1544 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 88 PID 904 wrote to memory of 1544 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 88 PID 904 wrote to memory of 4628 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 89 PID 904 wrote to memory of 4628 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 89 PID 904 wrote to memory of 4628 904 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\IntelprocSI\xoptiloc.exeC:\IntelprocSI\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b56f9d07f4c9fb3754ddf88108663214
SHA1360e04f68ba5da5cbe38954dd6cb56f1554f3fde
SHA2560670f68791e51281df887008d31e211a8d4ac71533b6e6955e4816ab651ac12e
SHA512b8f01b363afd87072a63a30ddf3a11685fbd1cdece93fa96f22f7a2cd59246e292161fa178841d3303c9e3f70f02ebaeabe09858e06d44ffdd9e187482f68b71
-
Filesize
2.6MB
MD5e4eb3841ba70669aa886724e21e02e3f
SHA1056b186437d71f6510b86269d66de26d5cb052cf
SHA256fa4323e524d334ac1c942e62dcf13d44648eed98b28730b57164f26379dee77c
SHA51239d29c4af26d7b4a50b3cb4b790436e56b932f449d84abee7ae13da5ac5b1ab3c5e77d99ed9cb8dc3f11204ce24db96434a8a8349888688644ea586b40706bc8
-
Filesize
205B
MD538c20db17c1abae201930452dc5dabb7
SHA1c754b208ed9faaba01e0dd147648123000fe8016
SHA25695bd2ed2a0bb1138b66fe44340fd0b0e0a6eae7bd5011e178958992c2d11fb1d
SHA512a272ae6c270e75d24e670c84e5d1f0311231bc2d5b73ecbdb60093a1b53d5e24e1a5220aaf90320502ce9d9519c93cfbbbe2e98f9c4c484c3f65e18443878773
-
Filesize
173B
MD5810954374509b7f03e8f521aa4f8a234
SHA1ff83e8660286e2e511dc991922b473a8e535a5f2
SHA256359c57240bcbcbf18e82fcfd728cadb4b0ed047770181159fe154d1227f6a246
SHA5123806e4c347af4f8ee1b9c8e09d71f6a99d8018417c459ff9bf466ce97adc05caee1f4d911569c52cf506fbb2090a98b611277e79a1e9a18a636cb9cd869358e2
-
Filesize
2.6MB
MD5c85347494c2cd0d80f42176ca20f0988
SHA16f2c23879877867e1755a02cfbe9cb6403abba18
SHA25654c8a0e6c982c187123fefb5416b6c7e94203df41030cf536d86ef365ec00a0d
SHA51248fbe6e294fbb698aeb2ba6d6f5787c574840deba57823db45bc66527be0dcc8c268ffce1612a45ba4776d2ece9db6226f1f0fc8ad0c994b30e8e349b611718c
-
Filesize
2.5MB
MD577d29b019f71378b15caf2f7c745cc54
SHA145d2a146ba50366c7816d449fce2484861a1e1cc
SHA256e21be902820b19c0c4de53cd2d3702aae766faf51501d8bd7aae2a8fad63e7aa
SHA512552ac2f96f94cea1e1ea6a429f525148d8404b51203cb2c4fd5f44e01dd00d85a6015379bbd37df2c309230bf5fbf8ca77b2f43024d8b77da93b8667047805e2
-
Filesize
478KB
MD5c63848866215c225285289a4cb925349
SHA1bd26bbc7d160701fcf45dee8dc11b80cd9186713
SHA2568992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56
SHA51280389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74