Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
Resource
win10v2004-20241007-en
General
-
Target
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
-
Size
2.6MB
-
MD5
715576c05f35bc351aebaacfbc5f6b10
-
SHA1
5fae5b27d815c649e98403034a213e25a5e020f8
-
SHA256
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a
-
SHA512
4edfdfb9e0771d120f547a9ce5ad74b3d90520f74179f49764e6ef8e44c4b1f38773476fa36b5ad880b56cb3eab2a63b216f5c9d9a408ecc9c2315a3c5840625
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
Executes dropped EXE 2 IoCs
pid Process 3956 ecxbod.exe 5000 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocP8\\devoptisys.exe" 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXX\\optidevloc.exe" 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe 3956 ecxbod.exe 3956 ecxbod.exe 5000 devoptisys.exe 5000 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1448 wrote to memory of 3956 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 88 PID 1448 wrote to memory of 3956 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 88 PID 1448 wrote to memory of 3956 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 88 PID 1448 wrote to memory of 5000 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 89 PID 1448 wrote to memory of 5000 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 89 PID 1448 wrote to memory of 5000 1448 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\IntelprocP8\devoptisys.exeC:\IntelprocP8\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD50a6404cc3bbf2135abcfcc84ea75ae6f
SHA1dd2774bedaa068ae4ba628c84c16d08063047bfa
SHA256f4fb96614be3ff20169ea1700f2d1a9ee42643b7405fefb3fd6cb9e919b50a46
SHA512a536c2c7f7c108b6f224324dcf6cc2e13a80eaa6759b3f15e6b1e8588fadf1ae1dea2b836acc9c3b3a1acbc8b775a837fc45f6415530e93f328df0869409f345
-
Filesize
2.6MB
MD5a04b09f03eff3192c60700c54901ec0b
SHA16c3399d1da12a0312dc05fe95390d8761acb78cb
SHA256b660ce4aeb3336d9309c3b4561615cc954b342a7cf427aceb6472c39760100a6
SHA512d7c6f1b954fdcf1f867824d8e98aa30b39595ebd6ce75048220d0ec9a306feca7a4a0f6eb0f0befb7d4f8947ae1c6599316cbd02ce85773446d31287266f08ea
-
Filesize
208B
MD5785c54c5d24eb900c7fbabfd93ac2250
SHA11af2ae20cadfa75423c0142ede5c327cd2e5c268
SHA2560aad6d062df8cab5131fb9b7c21f629114de9109b67753ae829c96ad519a487d
SHA512c4e45ac62fe63cbfb14af8bb1ac12657ae54817d7fed4c3444517f82d8391fb33bd07059f2c7250c5cebd7ae5abeccf389fae50a8a5860a3078f6fdaa41c40bc
-
Filesize
176B
MD5fcaea7b76b0e21bf60930b4909c0f057
SHA19445e986c1c73656279bba0e4cb22c35f1724243
SHA256b2b72fb66b9952d800fa3cfcb0d34219d17396a8d32398a0c1f00e5d40a12472
SHA512617abd0b56acf5605c0382306d2c8ef34e7f9e18cdf19a77f9b03e59eb918f3dbf62307856d7a95f8b65797c5934d1b23855ef3b352c2c03bf6f50594da9171d
-
Filesize
2.6MB
MD5d9355b932a2f3111c0a844777417eda4
SHA135dc36a0a4368e52d47d1d0f6cf6aa0654fc3a42
SHA256a8370d80f6adc6132d4323af460a2939819e25c70f0ed75028c647a3803c9be0
SHA5128e9c5ee9f143abc570b1008e0edb62ffc357ce61c58116614a3bac3d485fe5c33e3d0365b28ed938caef29d76bfa205bb920f2d4c6cefd0d8b721511ec9bfbe6
-
Filesize
2.6MB
MD555e5583b4ab728b17c5b3939ee6edcea
SHA172522072be08beb75fb78497b1a8cb28a12a5f14
SHA256bd991b1100364fe54837dadf697935678b2d3f8ab6a68f900f333d2b9b9b2425
SHA5122777032158ecfb8d3ed613b16505564a3ca37c0ce7eb7d2c51651345b4de8c5e2bdbfe99d8a4198cf689200047e9891c67fef952c70b32977fd9753df00eb782
-
Filesize
2.6MB
MD5fcd715620aebe94a77fca5e29bd4db67
SHA102d5ef7053de1e626a8c44b81e41a097ac06b13e
SHA256898fa0b796d2f6c4486990a74f22e56a29ab436ec6e7b0702310b3090ee36c74
SHA5129ddd12107b0c0594279aa0270542a7c61f7debd48125934c3df9bb178d0b00c92497b1750f65474ab049b7cfc70895d48d2da674195fe4ea68a7f07b7562ca97