Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:00

General

  • Target

    7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe

  • Size

    2.6MB

  • MD5

    fdb38d8db9bd212ceab717e00ee9ddf0

  • SHA1

    7115ab3cb67e1ffec271db2ed420e53accf2f8ff

  • SHA256

    7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7

  • SHA512

    09884ba2512c99f1d06e314c1f39f151db8b9db81654527b170273b6fcc3ad6fb3d181a44732426b241d69a1df667a166bac63a55ab3f5e810f7b8007756a712

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpXbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2560
    • C:\FilesQ0\devoptiloc.exe
      C:\FilesQ0\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2284

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesQ0\devoptiloc.exe

          Filesize

          1.4MB

          MD5

          503ae888801bdabef4f9cfc02f371bdb

          SHA1

          3c35a8302ccc87003c868771c569831875b2efef

          SHA256

          d8bd87b35cb0d996641814ce046ac9dc31c024c79c2e905dc1077bc411923bea

          SHA512

          f479d87223ad2641d781671be39a1ae29806db325d0901e309d3fceb5d5ae649bf5b3c65110ee6d289e1eade0d551dac29cc8a2ed949687b01c909dd51ab5e6c

        • C:\FilesQ0\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          b35e67007292b7b49d701dc7e6221e44

          SHA1

          bab3695315603f314cff0a71af90a7ed1e4c6263

          SHA256

          551c893b52658767871bf24998be1663740c8156925d6bbcd12770091e0d578b

          SHA512

          24695ea7e494b46fd10dba663e8236aea14d2b1eda69d5a8122fc3e4b4b57c6f567112437fc093f868debbe0999f1c75245c4cfb2f0e6fe5ed25b8a4e407853a

        • C:\MintC0\optidevsys.exe

          Filesize

          2.6MB

          MD5

          5b5af493edd899d061e228cda1cd5ae0

          SHA1

          efcda9fafc3c5dc4d7aee01fa9086be903647d5e

          SHA256

          025f566883f7dcf753c51eba1f9aab3a29e9444d8af407cb380ff550898eda56

          SHA512

          b95b95ab330bb0821cc171e3d4ffd86fd8bee5af9d1f5b0029ce5aa4818821f3026e04eed2e4cd160aaeb1cb64e5f3e44cab63925e24985b1731c2f8a7c3737d

        • C:\MintC0\optidevsys.exe

          Filesize

          2.6MB

          MD5

          72674400ac7e77f20a448febe5f02754

          SHA1

          9be518be2406db8f5f00dc55fb9ffb77640f5d63

          SHA256

          2a38e4b56f65847c4410c56623818a97b465a77acb66798f46421b40ea1d1e29

          SHA512

          9eb0f1485d1f6726fbf11abb57a212343ef9c51e5fb2881c1d7566d3e73535022ad02a70460a8973df7ecfe850579e5dd60bb31e631a68eebad5a5a04b957524

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          e7c684e9bf5cda15f08b22791d299595

          SHA1

          e313a30ade0dc660ce58a598b82652a2728ce244

          SHA256

          8871ceb359957d943ce23202f7e1e965da57da0d3b7c907bd12780a5d69319bf

          SHA512

          7cb9d8311cf8edb87275fb35af501169ba8956e7463a815b9a583e50427877297ccdb9f737c177f9867bca877d187d4e118818baf4e934b2e52c6cab4c12f370

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          ceb542fad178eafe5620c3eadf5638a9

          SHA1

          7de44870886576be3593d2aab6630b5cf1dfc172

          SHA256

          2aaa3776ad052f2c2172bd0aeaad0671eb30a21b915cbb855156aeee64239ce4

          SHA512

          fd505a1adaeb276700cdf79160ae9b2c79ebd5e90959448f0869646b63597c59b5c60043fc34208b11ca23c5965e87ffdf11a9fe6b2125769f0c524887b8263b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          579de187030a611fce4d0d180a3e38d2

          SHA1

          e9729172c276914f651408d56b44f12125feef56

          SHA256

          209562840092617d0c1ff82fdf5b82a19ae01124a652f80e3a390cf6af61a770

          SHA512

          a6f096feecb678baedf7620ca041b0da53d1eae71a889934ad3ef24a920d28ac2f431abdba901c7bc64517e628964a3c192edd22aac626aad3b782c0bc170649