Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 13:19

General

  • Target

    87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe

  • Size

    3.1MB

  • MD5

    1cc4fd9074b31a840dc9915f9442bdd0

  • SHA1

    f2fcd902e7097c95ac5391331d85aba2b4e6cc6c

  • SHA256

    87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7e

  • SHA512

    24d2c750c38f24c78d3ab58f03481a3cfab1666be113aa317bd9dbf94ebc46d157308d35f24c0df9669221e3a758d528dd304cdaffd83be456103da7552d1088

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpCbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
    "C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2360
    • C:\FilesST\xdobsys.exe
      C:\FilesST\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2416

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesST\xdobsys.exe

          Filesize

          3.1MB

          MD5

          57467fe6f28eb201dddd5b499cb84dc1

          SHA1

          08423378e6472b45dd31b91dccbeb7ee0fa33436

          SHA256

          9e652e2637dc24ad0de34fa174b696b72cd8b1db7dcc2f7cb951c236a1e00a49

          SHA512

          e9d062ff31bdd43fa92e07be296025eadbee42447fd1b858fb1c205a34c3811ac4c9ca2b721abd176e1c598926c19c79622609fb47a93d467827b83938fd5927

        • C:\LabZU8\optixloc.exe

          Filesize

          3.1MB

          MD5

          d91acec1223ae3e357d0d3bf201dee2e

          SHA1

          480b97964222800d9f0f189fe5c3b2b532546f2c

          SHA256

          227df1469d59232fb904772f3a639b055f62b55dc5bef66a19da7d59ce2590f5

          SHA512

          0c5b95eebc590719575ecb88e501cbbc0b965709ba5b5b75d11a86e9ece008f32115218932f74ad38f64fb6af5de105ed74738106909992bf7b47f85ca4ca8d8

        • C:\LabZU8\optixloc.exe

          Filesize

          3.1MB

          MD5

          72d601f2fa9e27d323e69e170217db2b

          SHA1

          11e34cf6d8553a0a4767012b33f700040f331561

          SHA256

          b6b0a4a7a5d52e840c2040230413242c3b0e2ee70a743de8a9682a2997636507

          SHA512

          53aeb0143518f1a8dd34e654e0aa23815ae44d793c33066b8b07796f3ebe9f91ceb11ba8e52a6a92ad139caf012a25394ba424347329510e2287186b21c07ecc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          b4e7397d11ef9b276fc9fbe4981b0d0f

          SHA1

          9206a7eaf9925e9d8a9a7a50ba52360832f22ed6

          SHA256

          7fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2

          SHA512

          7698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          6919fb1c5518a212545be20dc3f8cb68

          SHA1

          6b56462b7bc271339afe0213d4786d026e983886

          SHA256

          8497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b

          SHA512

          7b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          3.1MB

          MD5

          71485ebd8baf7e0eb7f066df8f11fe47

          SHA1

          e70c04950fd61da353ed71d7b1065f36f33f9ad9

          SHA256

          f09b19fb5390b22eb7583f607ae486e20e6a60c5d6aba9a979bddb11c1a68f50

          SHA512

          7542a60df75405cd63346fd3c4c6f74c6338597bb8c535bc3a5e1563940a1d044b8c8abfc0e14a96af686c8b710c3488eb436fd9467f76f15d60857fc11b616e