132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
Size

2.6MB
MD5

74a102b9d9ec95b542cec341bfc44ec0
SHA1

ecf05f58be9f1816b6f6437cb4a3160d3ff20200
SHA256

132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793
SHA512

c3acc23063e4f8a0e2cefd161e270d44162221e91bbd583c14c9ed2ec49ed4606a0dcff92d569d8e6a4fc4a2cb4118510923d325701313eec55639e45d709a24
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	ecdevdob.exe
2408	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHQ\\xoptiec.exe"	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZM3\\boddevloc.exe"	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe
3028	ecdevdob.exe
2408	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3028	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	31
PID 2484 wrote to memory of 3028	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	31
PID 2484 wrote to memory of 3028	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	31
PID 2484 wrote to memory of 3028	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	31
PID 2484 wrote to memory of 2408	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	32
PID 2484 wrote to memory of 2408	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	32
PID 2484 wrote to memory of 2408	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	32
PID 2484 wrote to memory of 2408	2484	132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe	32

C:\Users\Admin\AppData\Local\Temp\132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe
"C:\Users\Admin\AppData\Local\Temp\132211d94586d0081306191e57ffc8c74ebcf7509b530ed1eb981c52d9693793N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\UserDotHQ\xoptiec.exe
  C:\UserDotHQ\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZM3\boddevloc.exe

Filesize
2.6MB

MD5
67d30d800f70c6fcc6cf381ee6d41c49

SHA1
5abb4f1500fbba8209b375a323bc6da4c653c192

SHA256
5bd33ed8dab0a4f8c4b23bc7625d9fc0f29774234acc1e27a139a814352a314c

SHA512
2a503520dae73c6abb697b55ffec9a578fa12add5baca24c74cd70223e62cba5b5d8b5c91a3cd4e697817fec85996f03430cfcaa01ebd10ba1d3a92a6b92f0c8

Download Submit
C:\LabZM3\boddevloc.exe

Filesize
2.6MB

MD5
01d0e015a4e05a1c9bc099ccc25419fa

SHA1
51090f81c44a6b453183a8b5c60fa08a6d40bf72

SHA256
f64cfac561f5e2edbaea4f52d73d81feb6ac4f46d8314967154be7a11f453497

SHA512
741cbe46564c8d34e9e4118d2cc9318f7c9da8c3e1d9b637abeed93ed8213b0d942b19688ef68b93cecc6a6c1798827df95844a2affe4a382106bc0019815b76

Download Submit
C:\UserDotHQ\xoptiec.exe

Filesize
59KB

MD5
c681406f0206ff6f39faae542685ca02

SHA1
17194a6e44c30508ab4b5584051495254faf1164

SHA256
2bd598777819ffc71cfc165de225f85fa08a8fb094956522458ba030d8043d34

SHA512
5907c2cdf30e397fcdb8d015b8ec0f14f4f27225dc83a2ccd23ac9b1fbee434243c8df0ff5ab840c9b7673d64fecac4ef327aed7ff9a61e9fba7de0cc66fad9c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
8bdba7b194c6dccd51f8e4b27e0d5906

SHA1
4820e2b3bcdcb83f0e5267d563d2342d2f9c03f8

SHA256
9d0164a02ac51b0553340dc4be41071239e9f620484e96d013445c57f55a8ade

SHA512
af7e62d5dadced4fcbc8c3f6ff88fb9d6ff4d46c892714fcb07408696d855443a56db5727708d47c67c5f7d855d31a9442db64a2e386cd1fbe285dda0021110f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e681c6ff58aba7cc6988445ecaebacc5

SHA1
3d6d3f6da39fbf6274d2fb5ddfb1d9e8f39a0109

SHA256
93c1156cdc934b1d1204ef52ce927c6d8046689ad144de1d9d34ec6a1b475252

SHA512
58933f0e2094f2b56d5b566a77748b8ac3be8be6e84300e01878d620474d8f1122eee0007177bb6a529356620b6a247eef76d13df173babfa552a9746ba50f4b

Download Submit
\UserDotHQ\xoptiec.exe

Filesize
2.6MB

MD5
a921d0e037fa919c7d7aec3434ef748b

SHA1
655193b99eeef99d5295710c9e297a5c0aed267d

SHA256
3cb292f6a57209d6354731bbc9956ce1a997f4f885e700663f8c0f414e818343

SHA512
175e75c41dcacc8c348132b652e933aead753924a9d3fea1ed0b474deb1e928d388ec95030cfc856e7611186f38594835e6cf98fa8de50cdf63dc5538f39151a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
7038a5c35cd88f78ce45a8c743b8b538

SHA1
bef4e0ccedba57028010ba1d48bd4df6830531ff

SHA256
5d92a77d40128da248d9602f8aecc177acad9f7ecc8654e4307a1f87508ed46d

SHA512
d46f8ecb34b3fe3d6e8b4d0482f0cdd90a3ec23e7f4346f1481ffd6f39c528adbbd3ace6a5df343127e875cdf595401b64043127fa82147ad6d4b93ad5cbf08a

Download Submit