06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Size

2.6MB
MD5

be671e439fe8d78e3d53f488acdf2990
SHA1

c1e98eee250d1faac7d9b9c1047469ff1a1bded4
SHA256

06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfca
SHA512

c87d75d42c2c10cd34f7085c3813b8959040f8083cd5563e3f1fce5995dd6e32df89fdccfa08c37060d986b4159ad7ad0145ec6aa8de7416d02f9784907976e8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

Executes dropped EXE 2 IoCs

pid	Process
804	ecdevbod.exe
1892	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe"	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe"	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe
804	ecdevbod.exe
1892	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 804	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	30
PID 1712 wrote to memory of 804	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	30
PID 1712 wrote to memory of 804	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	30
PID 1712 wrote to memory of 804	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	30
PID 1712 wrote to memory of 1892	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	31
PID 1712 wrote to memory of 1892	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	31
PID 1712 wrote to memory of 1892	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	31
PID 1712 wrote to memory of 1892	1712	06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe	31

C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe
"C:\Users\Admin\AppData\Local\Temp\06a6bfe4462e59de42c4b8cc35172944c078e32c65c3e6ad5c1f03f344d1cfcaN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:804
- C:\IntelprocEB\xoptisys.exe
  C:\IntelprocEB\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocEB\xoptisys.exe

Filesize
2.6MB

MD5
64b993cfbbb6102a2e5a5da200cbeb46

SHA1
6ef2f0e7375eddd9f3edcc711e3afe341c08f23b

SHA256
d31fce45b64188fd3eaa2888e03eb0aaa852a07b6df6e1548164fe7b44b72097

SHA512
dfd438a534f020aa0071997c542550006b7c7155f643d6f83dd1999521cad5b581ecd64b7e9c5e3237069b65257b6b004a981c0b354b90686b2b1a9b60079215

Download Submit
C:\Mint68\dobdevsys.exe

Filesize
2.6MB

MD5
e664766cc94ebee4b7721959b5d3373b

SHA1
232cced46d6e7dce723e6fa5da3753826bd87659

SHA256
3b917b2e35e878268c14f9e1e0ed88abd353fd71638cd11745f5126d3e0b9054

SHA512
1a716e7e6e6efdb3600e19da628a06879eb1db2d6117e78b8670c56cc413c642f4a9eba63ae1c6b4e62c2282b05178925c1eee572158e5fbb2a457e4b698c752

Download Submit
C:\Mint68\dobdevsys.exe

Filesize
2.6MB

MD5
58778be421eec4c827dfc4f63c0ae86d

SHA1
a1827fea346b2103876f21686810dcd3b7cffde6

SHA256
c7a5a46551d510d84dce1d8155dd4c27e23e6d3fff11de8c980c925e35953a75

SHA512
78bb6bd59e737f4c0ea2bfe45f0fcd34d76988eeeab1ae3ebf9810df63fe3afd23e7d09a58aa7f862820dac555b45767e6d5a9ff17c25491cc424af483d72b7d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
4e250eea6d637519d06bd3ea2e364c82

SHA1
d77a819b2ceed516bda6b5d9e37bc9a1d986ba61

SHA256
c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd

SHA512
ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
df1cf93acef6bbb50eb9363516f2b378

SHA1
7cd95835b17875e0c0e39f3aaad16f759542bc9d

SHA256
3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1

SHA512
d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
89b3aa555df04835cf80d5727c2fc4d1

SHA1
03acefdb63d8b0f5e18ceadc99c2c5e75ec815ab

SHA256
27a1bc29b1fe5629948d71d09829caf2389fc22ee3068d6d8bbc4aae79ba54ec

SHA512
e32c9cf8ec3756fb3409e6452513a4c7a2c37e1f40b4dd92e27361434db4fe3f9b2c946a4d250d10fc74b85c7db139b386338222c4457e9d9c5f31fc738580a3

Download Submit