Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
Resource
win10v2004-20241007-en
General
-
Target
7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
-
Size
2.6MB
-
MD5
fdb38d8db9bd212ceab717e00ee9ddf0
-
SHA1
7115ab3cb67e1ffec271db2ed420e53accf2f8ff
-
SHA256
7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7
-
SHA512
09884ba2512c99f1d06e314c1f39f151db8b9db81654527b170273b6fcc3ad6fb3d181a44732426b241d69a1df667a166bac63a55ab3f5e810f7b8007756a712
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpXbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 ecxdob.exe 2284 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQ0\\devoptiloc.exe" 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintC0\\optidevsys.exe" 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe 2560 ecxdob.exe 2560 ecxdob.exe 2284 devoptiloc.exe 2284 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4572 wrote to memory of 2560 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 89 PID 4572 wrote to memory of 2560 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 89 PID 4572 wrote to memory of 2560 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 89 PID 4572 wrote to memory of 2284 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 90 PID 4572 wrote to memory of 2284 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 90 PID 4572 wrote to memory of 2284 4572 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\FilesQ0\devoptiloc.exeC:\FilesQ0\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5503ae888801bdabef4f9cfc02f371bdb
SHA13c35a8302ccc87003c868771c569831875b2efef
SHA256d8bd87b35cb0d996641814ce046ac9dc31c024c79c2e905dc1077bc411923bea
SHA512f479d87223ad2641d781671be39a1ae29806db325d0901e309d3fceb5d5ae649bf5b3c65110ee6d289e1eade0d551dac29cc8a2ed949687b01c909dd51ab5e6c
-
Filesize
2.6MB
MD5b35e67007292b7b49d701dc7e6221e44
SHA1bab3695315603f314cff0a71af90a7ed1e4c6263
SHA256551c893b52658767871bf24998be1663740c8156925d6bbcd12770091e0d578b
SHA51224695ea7e494b46fd10dba663e8236aea14d2b1eda69d5a8122fc3e4b4b57c6f567112437fc093f868debbe0999f1c75245c4cfb2f0e6fe5ed25b8a4e407853a
-
Filesize
2.6MB
MD55b5af493edd899d061e228cda1cd5ae0
SHA1efcda9fafc3c5dc4d7aee01fa9086be903647d5e
SHA256025f566883f7dcf753c51eba1f9aab3a29e9444d8af407cb380ff550898eda56
SHA512b95b95ab330bb0821cc171e3d4ffd86fd8bee5af9d1f5b0029ce5aa4818821f3026e04eed2e4cd160aaeb1cb64e5f3e44cab63925e24985b1731c2f8a7c3737d
-
Filesize
2.6MB
MD572674400ac7e77f20a448febe5f02754
SHA19be518be2406db8f5f00dc55fb9ffb77640f5d63
SHA2562a38e4b56f65847c4410c56623818a97b465a77acb66798f46421b40ea1d1e29
SHA5129eb0f1485d1f6726fbf11abb57a212343ef9c51e5fb2881c1d7566d3e73535022ad02a70460a8973df7ecfe850579e5dd60bb31e631a68eebad5a5a04b957524
-
Filesize
205B
MD5e7c684e9bf5cda15f08b22791d299595
SHA1e313a30ade0dc660ce58a598b82652a2728ce244
SHA2568871ceb359957d943ce23202f7e1e965da57da0d3b7c907bd12780a5d69319bf
SHA5127cb9d8311cf8edb87275fb35af501169ba8956e7463a815b9a583e50427877297ccdb9f737c177f9867bca877d187d4e118818baf4e934b2e52c6cab4c12f370
-
Filesize
173B
MD5ceb542fad178eafe5620c3eadf5638a9
SHA17de44870886576be3593d2aab6630b5cf1dfc172
SHA2562aaa3776ad052f2c2172bd0aeaad0671eb30a21b915cbb855156aeee64239ce4
SHA512fd505a1adaeb276700cdf79160ae9b2c79ebd5e90959448f0869646b63597c59b5c60043fc34208b11ca23c5965e87ffdf11a9fe6b2125769f0c524887b8263b
-
Filesize
2.6MB
MD5579de187030a611fce4d0d180a3e38d2
SHA1e9729172c276914f651408d56b44f12125feef56
SHA256209562840092617d0c1ff82fdf5b82a19ae01124a652f80e3a390cf6af61a770
SHA512a6f096feecb678baedf7620ca041b0da53d1eae71a889934ad3ef24a920d28ac2f431abdba901c7bc64517e628964a3c192edd22aac626aad3b782c0bc170649