Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:00

General

  • Target

    8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe

  • Size

    3.0MB

  • MD5

    96917c0787e219264b75c553c652ea6f

  • SHA1

    6536bbb193afbb18329ada0e26b1c53c315105c1

  • SHA256

    8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2

  • SHA512

    538edee38e254dd085278f008bfb3e0a80df76c48d28f9b93a777291bb1266fbddd31c8aa07b0840a460971d24f4c6128c240201595277a87cc184e469ac71db

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpcbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
    "C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2688
    • C:\IntelprocVT\xdobsys.exe
      C:\IntelprocVT\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocVT\xdobsys.exe

    Filesize

    3.0MB

    MD5

    ad0e3d1056137fd9c62e98edba914419

    SHA1

    bda48f62bdd9a1abab8b6cbeda87114658d0fb20

    SHA256

    4347eb63fdf6cc0cc2b49682c80cf0722004e37281507a3b2210bcf76f771e31

    SHA512

    113df48d7bc2d83c71c135d8bb143d89514c7f09083e759113c88bbc520b0296b9817d973b4702063b64f04aacca24fed4645468cbf4f1b63fcef68faf6f271f

  • C:\MintWZ\dobdevsys.exe

    Filesize

    3.0MB

    MD5

    39c0413f90bdc9551a259545a1b88493

    SHA1

    ed582c2b7ffaae55581331665fa1e8b766276f50

    SHA256

    5c8a4e88c77e2bcc25fb3b4acfac162a1bd186ac6decf1f5dab1f5d0005411d0

    SHA512

    8867bada1542d0e64674fc8e2dd7dfe540fe6b62392a13d81f28336e1db3f0640d43fba176724bc9238b22c2f6bdc272b50022e690612417ce76321c2c961071

  • C:\MintWZ\dobdevsys.exe

    Filesize

    3.0MB

    MD5

    82a7258b89015609cb9bbe06c768e456

    SHA1

    9d3ba6894141244ff69d9a4602aaea56021c8f9e

    SHA256

    e413043d84ea0bda0781c26df2eae3866cae0264d4d1e2b92e2c11dc18ba3121

    SHA512

    1e97bd1f7cc97bc05087afeefe04088712687342cfb99caa2f8225a6919fe906c03bcadc8578fde673f4598b3b1d19af6efa432afed807fc9d58857d697c37e5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    bbd46dd76f021623f249317b3260a0b8

    SHA1

    82670f5cec5b0d891751f43b98580e0f7af0e5a3

    SHA256

    7f4928d920f7adee72acb7a50c1be7f3820c8ca09762ae6d5fc390b3f388440d

    SHA512

    bf4c38d70878be0962e9ef6c2096902c59c0bddb6f4725fe849d59c27c1d451583bd1bfbc2aecbb5a9e59d88088c7d1525c62183c424e0f2a74de4b38bf8f67f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    28dea217e6cbc210968806b8540c89ff

    SHA1

    60f9b3c6b4ff5f2f5a63725a2def966198fb6b3b

    SHA256

    93ebaee91bc47783acd2fbec021cdc013f247351f5d267b343776ec7f3765bfd

    SHA512

    d2b97d0209a85939b86990a3f3e187e182d585d242946e8fc0cd5202353a70ef0e9a15a462e7d24f24b7f1f668a6a001d651073e641eb186f2f1fcd110d60628

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.0MB

    MD5

    1a06c5028f77e05db91b9a14d44953ae

    SHA1

    8dd5b44d7a9afdd0acb2b986e0808585e3017bb3

    SHA256

    dc36ef5a2fb228529ccab50f2e19bc476a419df1b513ab1acde01adb874fd041

    SHA512

    db6c8cb407c88fb662becca591fd66651d9c82392cf8316aedb0852ae6af3cda299aa0891993ce1030f804e17f7cb803945a63fcc005de62f00cfb8657a2ef7f