Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:51
Static task
static1
Behavioral task
behavioral1
Sample
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
Resource
win10v2004-20240508-en
General
-
Target
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
-
Size
3.9MB
-
MD5
5960c9baf8b550d272ffb4560d83213b
-
SHA1
927608f67a071cb85586d5693c7e4f84532794aa
-
SHA256
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11
-
SHA512
a647936bf55c7c7116d6deffcf5ce0ba8ee89fdb57e5ea85456b95d915ead7419dd4356d7d1a3f26deceeae13ee97ae2bd0dbf51766cae1ab0271eab2ec190a2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxopti.exedevdobloc.exepid process 2952 ecxopti.exe 2580 devdobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exepid process 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe55\\devdobloc.exe" 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV7\\bodxloc.exe" 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exeecxopti.exedevdobloc.exepid process 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe 2952 ecxopti.exe 2580 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription pid process target process PID 2056 wrote to memory of 2952 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe ecxopti.exe PID 2056 wrote to memory of 2952 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe ecxopti.exe PID 2056 wrote to memory of 2952 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe ecxopti.exe PID 2056 wrote to memory of 2952 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe ecxopti.exe PID 2056 wrote to memory of 2580 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe devdobloc.exe PID 2056 wrote to memory of 2580 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe devdobloc.exe PID 2056 wrote to memory of 2580 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe devdobloc.exe PID 2056 wrote to memory of 2580 2056 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe devdobloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\Adobe55\devdobloc.exeC:\Adobe55\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5b51b92e69bc1f684ecf2913b061e681b
SHA10180359e58bec97ac6e53cde2b519f52815a9e2a
SHA256d3d7f3400a1bc6ceca384a9ac549bfdfdf4fce0bb132b2113ec7c08ff13fde7a
SHA512f634a10d6c9b133732eafc61e9fccf7096fd2e8ca219023b32321c4d30d653940cb5ce8deec0a480f7845fcb0f1a76c6802d38311e5819327d15709a79946164
-
Filesize
3.9MB
MD5bab260bad5ac54ba397220d425b534e6
SHA1fbd74ffb46c4346b9799f23ae75a4ec694299671
SHA256fcf5230e8bfe14b22b040b98043f7a32a16280ae9ac6b0a9eac614ca0e3a391b
SHA512d7ccb9cf720457221d9544d3d2e5c430fc715dbff506dc5feff40d210a8874e9e94235e8b8bf0216c4154b7fded82fa660588ac203e0f5e277dfc37f58c5dc25
-
Filesize
3.9MB
MD529590491484bb590cf269efed9acf470
SHA1cf6f99b6cf78f80ae53c5a2fca632b07a0205c8f
SHA2560e1ef66e838b63c39854eb9a7e9ad3c9b68c04460f1ee70d0c72bfa9dd6462bd
SHA51204d46aa9422664efab84ac9f05a7c791e406d01309e87377ed191003f5cac4bdb4177c428c108573ed22cd6e2df27f8b688e7914ae44a6e467dbeb76b73b244a
-
Filesize
171B
MD5ded33f9d92be9dbfc0ac4195e1427e8f
SHA1f54a48e691b11acd85192fbe2ea628d2fd6baa0f
SHA256e81d21f20f0b8175a54cf2eaedb0a71ba32dd8a3359bd2a324558d9819405390
SHA512a229c6ffb8c6232d4ec6932a2e6eec3283242cc513f53ce83674c0995f6eac18229db589f6d678e2bf444cd4e3c37458404c87c6431c99ad42d3c9fff8165e89
-
Filesize
203B
MD52b428a2bcd935b34adfc3da939f58db2
SHA150d7c7f33b3e4791d18321b07832c2dbdd1011b8
SHA256e6fd6003523f8674495ff0ce251407e49ad1c552c09735fabe39079b0b20ddef
SHA5121a97093f639f81d474f3f7d5472932fd360934e97e58197682f50ba6e631d9835ae057fde40f0d7c8a287c34dc54d200321afa88672000966d20a790942cc0f9
-
Filesize
3.9MB
MD5d8816d65b578329ebd4f3d03b41fcf87
SHA1914c44b3a1499977eba64a437d74d59abfddb653
SHA256e1ac35a94ae95bd3658bbe150001e0cb65d48f776c9266c65172c107dc886f2a
SHA512cd9496e8f01e5bbbeca7ed0d6859f9788815ac7330c3743c922da51cc5ca47af8fb3daa4c1550671180f03441019062d3e8c95a0c1328e9a2e438425297a155f