Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
Resource
win10v2004-20241007-en
General
-
Target
8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
-
Size
2.6MB
-
MD5
cef5dad727471586603a887b866d9920
-
SHA1
12971557a18ba400a88978d45ab759f7a35d70a5
-
SHA256
8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420
-
SHA512
973f8bff66d20814b9a167a6b88209524865d30dd0b397cfcfdc34fe0c49b981e7ecdfe9d25b9a375611871725e483f81d6128b63523dd5873093706e1ce72f5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe -
Executes dropped EXE 2 IoCs
pid Process 2880 ecdevbod.exe 5100 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGS\\xdobsys.exe" 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVO\\optidevsys.exe" 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe 2880 ecdevbod.exe 2880 ecdevbod.exe 5100 xdobsys.exe 5100 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2880 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 87 PID 1696 wrote to memory of 2880 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 87 PID 1696 wrote to memory of 2880 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 87 PID 1696 wrote to memory of 5100 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 89 PID 1696 wrote to memory of 5100 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 89 PID 1696 wrote to memory of 5100 1696 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\IntelprocGS\xdobsys.exeC:\IntelprocGS\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59e95124eb81fc87105580e24296ca3b3
SHA11fd345bd07aa897c42bc53bce4c5c814887bcbea
SHA256c4bd95d77eacd936c1144f47b17b2090ebe66b86aea639a0b6ff2182b43de665
SHA5126dae7795a813a51a9e025e371e00146c12beb8045015f681def3d6d12b311f8a308336129f29f1a27610ad63ebbba68280fbda4703ca3053ceaf5c58afb68122
-
Filesize
2.6MB
MD5457e1cec4e1bee3daa3512fa0690f141
SHA15466dbcdb228bc29ac8bbc229460fc0785710d75
SHA25670a1b2c6da72948115c96de89d932fda0b2ed738a28f73311b74f0ab7bf9f547
SHA5124cfb57aa80e3963dc71f3148f173585a2ee9c46eaef30f7dbc1b57e18fa4758f49c53f7a34090182de832e9b5a4b33e770bf0a2b8d54ebcaae993360300135ae
-
Filesize
223KB
MD5bd293b77377b9f08b4b5763a889a1324
SHA11270f64634150c6853440db4aca88ebfb4c1250a
SHA2566275c2cf8f4dce45fe2879bdfd9c4e91b7ca45cd0322cb69ee47d7403fdc66a4
SHA5124d033dbf941c444d86fbe9844bd1162c4bc540cb73203f70a810773eff952f69bbdcf3b04b1a5b8be3f420bd9045b320a76e349110326088729cf63c6536776f
-
Filesize
208B
MD5cedb5fb349ceff525093d516e99e0e80
SHA1d938e3768051e563fe5dc21854af479062790b0a
SHA2568b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8
SHA51243c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de
-
Filesize
176B
MD510209582701a00f1eb4d6571a2d9c8a0
SHA137b71138880a48e7b4fb1878806cda7a84e206ed
SHA256cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c
SHA5121ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4
-
Filesize
2.6MB
MD59b7d628ef5b3f38127ce2e462729e5d1
SHA10617c5f7643d3048cf16117ec0b3b47bc8669e93
SHA2563bcccc7c7be1c8a5d32bb3aebc7f48a6481a6bad7aa57739fc02013ae9154fa3
SHA5123167929c89a9c3384b69078e4f17f968e74fab712980f02e5c29c3815e78c2425af5ee157800342e65225905e0cff418877bb024c5e69b8bf58b07fa1a45a9e7