Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:34

General

  • Target

    06ab4933f4afb37257e7667d54115260N.exe

  • Size

    2.6MB

  • MD5

    06ab4933f4afb37257e7667d54115260

  • SHA1

    843c38a878b7ad06753e72ec0e1e95ddfb482b2e

  • SHA256

    a704d820425de8dd10721d27ba8508def59a7b3c4ac5c60736cec431786d9fca

  • SHA512

    f097623fb69fdfa9bf6408b90b41ce22c8a5846f94ec1c50c41a2448d9a3d8ab012d75f9d832a3c312c32831e40507b100897cabaa7d569ddaa9ba7c2391be48

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe
    "C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1460
    • C:\SysDrvDX\xoptiloc.exe
      C:\SysDrvDX\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintM2\boddevsys.exe

    Filesize

    2.6MB

    MD5

    286e1899230c4b996630982ec2790f87

    SHA1

    54376cee9b1f22fa50bdfb0094696733aeb66a3d

    SHA256

    2ee60b367794776b9b3851b87f52f8aaa2900f58c7b48a26ad41d6a1ed1338cb

    SHA512

    981f4d612df3403138ff57d96ac519ccb6d6ebe5678885dc7aca500c1e07b9346edc3fd06fdd6a233bd901f1321b937f35c821acb18655474730ec0daf1c6c3a

  • C:\SysDrvDX\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    c2a0e31345f0cca6624c5fe85abc5571

    SHA1

    63f9ebdcf246e4c9a997222939e50402f5cf1383

    SHA256

    d497857a3f6012aa2e79ee00a2ed02dd4de8d5a9e44c1770b60884d6451e1919

    SHA512

    1042cdfa04e8cd3757c61dd3da45b00089b65ee340e140d95094547d260945bb4b5f0009a15e9d794b709751c515602a69c957488ebea502af3d7defac9db628

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    e8fd9cb361fc1c595cf659c49b594724

    SHA1

    1767c72787b1d4ed95f76734e169962a9ef34161

    SHA256

    7c067c262e5cf4cafb43712980e3dfd51a5b6e538fe57c4649eda595a48701b6

    SHA512

    f57b46d3088536fb53345f705a6a26a1661c9d81f3bbf5898574919d7e4dc61fa8e7ef47af91196de52e16879d9db6c39f67fc7226e6f71270163954cc1ba55b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    fc7a2da98b7a663cad2b355d08d1d21e

    SHA1

    c0e47b213e878a21a2473f92cc3968607f866c52

    SHA256

    fb108e294ccd1ef31eba001f0ce05fbb24d3f73b0cdc6fa461a971394f8f2926

    SHA512

    eb560eebc2025f41ffb93b58f93046af034ba90357ef11f45224caa2ebf7655889f52d052bd00d0a8ce60e322a7300debeb5da8150a3b9c2bcac537aedb315fe

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    67a115e234f79512a670558585a129b9

    SHA1

    6effb2ff0c33e3c0da9837dbafd6324c019b8aa7

    SHA256

    1edfbd32b409b6bae0bbe46e10c3b9bc5264b115558887ce25af4b6f1762f5a7

    SHA512

    eca9780437acd15b004dbc6a6d05884b2c64d82c33e1226e0185f85491f33f4ae643998df6c2c448ee527a8b281d910a8209c1834ef088981b66846186679d4f