Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
06ab4933f4afb37257e7667d54115260N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
06ab4933f4afb37257e7667d54115260N.exe
Resource
win10v2004-20240802-en
General
-
Target
06ab4933f4afb37257e7667d54115260N.exe
-
Size
2.6MB
-
MD5
06ab4933f4afb37257e7667d54115260
-
SHA1
843c38a878b7ad06753e72ec0e1e95ddfb482b2e
-
SHA256
a704d820425de8dd10721d27ba8508def59a7b3c4ac5c60736cec431786d9fca
-
SHA512
f097623fb69fdfa9bf6408b90b41ce22c8a5846f94ec1c50c41a2448d9a3d8ab012d75f9d832a3c312c32831e40507b100897cabaa7d569ddaa9ba7c2391be48
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 06ab4933f4afb37257e7667d54115260N.exe -
Executes dropped EXE 2 IoCs
pid Process 1460 ecdevopti.exe 3068 xoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 06ab4933f4afb37257e7667d54115260N.exe 2324 06ab4933f4afb37257e7667d54115260N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDX\\xoptiloc.exe" 06ab4933f4afb37257e7667d54115260N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM2\\boddevsys.exe" 06ab4933f4afb37257e7667d54115260N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06ab4933f4afb37257e7667d54115260N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 06ab4933f4afb37257e7667d54115260N.exe 2324 06ab4933f4afb37257e7667d54115260N.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe 1460 ecdevopti.exe 3068 xoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1460 2324 06ab4933f4afb37257e7667d54115260N.exe 31 PID 2324 wrote to memory of 1460 2324 06ab4933f4afb37257e7667d54115260N.exe 31 PID 2324 wrote to memory of 1460 2324 06ab4933f4afb37257e7667d54115260N.exe 31 PID 2324 wrote to memory of 1460 2324 06ab4933f4afb37257e7667d54115260N.exe 31 PID 2324 wrote to memory of 3068 2324 06ab4933f4afb37257e7667d54115260N.exe 32 PID 2324 wrote to memory of 3068 2324 06ab4933f4afb37257e7667d54115260N.exe 32 PID 2324 wrote to memory of 3068 2324 06ab4933f4afb37257e7667d54115260N.exe 32 PID 2324 wrote to memory of 3068 2324 06ab4933f4afb37257e7667d54115260N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\SysDrvDX\xoptiloc.exeC:\SysDrvDX\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5286e1899230c4b996630982ec2790f87
SHA154376cee9b1f22fa50bdfb0094696733aeb66a3d
SHA2562ee60b367794776b9b3851b87f52f8aaa2900f58c7b48a26ad41d6a1ed1338cb
SHA512981f4d612df3403138ff57d96ac519ccb6d6ebe5678885dc7aca500c1e07b9346edc3fd06fdd6a233bd901f1321b937f35c821acb18655474730ec0daf1c6c3a
-
Filesize
2.6MB
MD5c2a0e31345f0cca6624c5fe85abc5571
SHA163f9ebdcf246e4c9a997222939e50402f5cf1383
SHA256d497857a3f6012aa2e79ee00a2ed02dd4de8d5a9e44c1770b60884d6451e1919
SHA5121042cdfa04e8cd3757c61dd3da45b00089b65ee340e140d95094547d260945bb4b5f0009a15e9d794b709751c515602a69c957488ebea502af3d7defac9db628
-
Filesize
174B
MD5e8fd9cb361fc1c595cf659c49b594724
SHA11767c72787b1d4ed95f76734e169962a9ef34161
SHA2567c067c262e5cf4cafb43712980e3dfd51a5b6e538fe57c4649eda595a48701b6
SHA512f57b46d3088536fb53345f705a6a26a1661c9d81f3bbf5898574919d7e4dc61fa8e7ef47af91196de52e16879d9db6c39f67fc7226e6f71270163954cc1ba55b
-
Filesize
206B
MD5fc7a2da98b7a663cad2b355d08d1d21e
SHA1c0e47b213e878a21a2473f92cc3968607f866c52
SHA256fb108e294ccd1ef31eba001f0ce05fbb24d3f73b0cdc6fa461a971394f8f2926
SHA512eb560eebc2025f41ffb93b58f93046af034ba90357ef11f45224caa2ebf7655889f52d052bd00d0a8ce60e322a7300debeb5da8150a3b9c2bcac537aedb315fe
-
Filesize
2.6MB
MD567a115e234f79512a670558585a129b9
SHA16effb2ff0c33e3c0da9837dbafd6324c019b8aa7
SHA2561edfbd32b409b6bae0bbe46e10c3b9bc5264b115558887ce25af4b6f1762f5a7
SHA512eca9780437acd15b004dbc6a6d05884b2c64d82c33e1226e0185f85491f33f4ae643998df6c2c448ee527a8b281d910a8209c1834ef088981b66846186679d4f