Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
Resource
win10v2004-20241007-en
General
-
Target
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
-
Size
2.6MB
-
MD5
8055643b72c2a9b72f2499e0154d2650
-
SHA1
504758b0653b2aca9a11866017e694311289ded0
-
SHA256
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9a
-
SHA512
b4cca2e42cdfe0e78b40b2f580a1a4641d7fe00ce5906c80332ce4acbefe70d89b51d19834982828727eb26c002bf601c04bae9583cee9d92e0356d9207a2c02
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe -
Executes dropped EXE 2 IoCs
pid Process 2432 ecdevdob.exe 336 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUK\\xoptisys.exe" 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR1\\bodxloc.exe" 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe 2432 ecdevdob.exe 2432 ecdevdob.exe 336 xoptisys.exe 336 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3916 wrote to memory of 2432 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 89 PID 3916 wrote to memory of 2432 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 89 PID 3916 wrote to memory of 2432 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 89 PID 3916 wrote to memory of 336 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 90 PID 3916 wrote to memory of 336 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 90 PID 3916 wrote to memory of 336 3916 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\UserDotUK\xoptisys.exeC:\UserDotUK\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56becdc36c3794aed9c20263f8dbe7791
SHA16c2a81a411de992f0c25ec7dbfa5624fef824981
SHA2564c74d923245ac40864f170ab7cd0ecfb1cb8124ef0def7ad10225c388f4daf1c
SHA51234266eb8ef96e946eb62e135c65dc4742c8202ef4a576f4cac1e2174e79118d2c5fafa77592a32ad0bdbecbadcb666c3efb3f6db155f1cc57abd8174e66ec943
-
Filesize
203B
MD56d1cff675db1b76e26080a27d196a27d
SHA18e0b82e8c5e64c0f0d12247a08e191a8f43fef44
SHA2560570d9c8f07968fafcc86fa1350c8c15f316d7a9a61879956be236fc75bf2624
SHA51236e9be5cedb83771f322dc0a458325e3f4337f321508c8789513d12aa6af2b8e696f9bb2aaf2c74108be296e51163a72b137df2ea60e1fe5351dd5e0be66307d
-
Filesize
171B
MD5371d2731baa9176ce83751d3d7c407f5
SHA12ce89d8229f3487449cdf28abc2a1087d88fccce
SHA2562ee7f2fa73a95b9034592652e406cd987d9cb2d1936f02a2a94ddf66ac0a8144
SHA51242e0c019453396720fc3640d094234bfead106b2995eeacc90965f3b35dd28708b50f8efa581c9d4929bfdc19d08252b213a2d2f3e91b7d82187292b948ae515
-
Filesize
2.6MB
MD59977db21dbc1a058b2e2d12c2589178d
SHA1c0f5ad30843918367fc9dc0c3731721265347f74
SHA256c78c0ae53af901f6bd1fd76a2e77be8b2cbf9f8017f8cfc879d2e586ed5e9f35
SHA512d9f1cd9f7579cf8066cabc62210b2570a35b01e99c6ad70fc30e4daaa6d600ee28729ee81b7ac1821a4b459810f8db2276a0a38e676a30d1ad9da9c1fef6e212
-
Filesize
2.6MB
MD5e9fcc5383800946079f059d203f41f2b
SHA147ae2429ab11d098f35aeb3ef590496561af7263
SHA2567e14c280160271f5e42ef581acd17c95540a28d66ba0d1423749b6ee7c4b1094
SHA512cd2fe8edc5765dacd9c34ca7af7e20dd450a8e9115de2258acb446802098fe6d5a6fc4a210c0891a29f8d00f5454818dff44923c889158ebc2e95ea185dfeae4
-
Filesize
2.6MB
MD5871e915f458fee4da6ab5747003d7d04
SHA1712a43ce18a698457acb26087b3fce573eb4ceb5
SHA2562ed9ef581ba55b43b26123f5bb25bd497a139fa2d7c27eb590845da3359bc598
SHA5123b24f8f113c4cffbc2c5a56a649c13730fd1fc2ffaa2f885acb4c98a93c912e557df343824a6490fcbba1f73173596d912e65c754546ed03c8060594e15b785a