Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
Resource
win10v2004-20241007-en
General
-
Target
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
-
Size
3.1MB
-
MD5
1cc4fd9074b31a840dc9915f9442bdd0
-
SHA1
f2fcd902e7097c95ac5391331d85aba2b4e6cc6c
-
SHA256
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7e
-
SHA512
24d2c750c38f24c78d3ab58f03481a3cfab1666be113aa317bd9dbf94ebc46d157308d35f24c0df9669221e3a758d528dd304cdaffd83be456103da7552d1088
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpCbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe -
Executes dropped EXE 2 IoCs
pid Process 2360 ecdevopti.exe 2416 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\xdobsys.exe" 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU8\\optixloc.exe" 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe 2360 ecdevopti.exe 2416 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2360 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 31 PID 2380 wrote to memory of 2360 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 31 PID 2380 wrote to memory of 2360 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 31 PID 2380 wrote to memory of 2360 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 31 PID 2380 wrote to memory of 2416 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 32 PID 2380 wrote to memory of 2416 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 32 PID 2380 wrote to memory of 2416 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 32 PID 2380 wrote to memory of 2416 2380 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\FilesST\xdobsys.exeC:\FilesST\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD557467fe6f28eb201dddd5b499cb84dc1
SHA108423378e6472b45dd31b91dccbeb7ee0fa33436
SHA2569e652e2637dc24ad0de34fa174b696b72cd8b1db7dcc2f7cb951c236a1e00a49
SHA512e9d062ff31bdd43fa92e07be296025eadbee42447fd1b858fb1c205a34c3811ac4c9ca2b721abd176e1c598926c19c79622609fb47a93d467827b83938fd5927
-
Filesize
3.1MB
MD5d91acec1223ae3e357d0d3bf201dee2e
SHA1480b97964222800d9f0f189fe5c3b2b532546f2c
SHA256227df1469d59232fb904772f3a639b055f62b55dc5bef66a19da7d59ce2590f5
SHA5120c5b95eebc590719575ecb88e501cbbc0b965709ba5b5b75d11a86e9ece008f32115218932f74ad38f64fb6af5de105ed74738106909992bf7b47f85ca4ca8d8
-
Filesize
3.1MB
MD572d601f2fa9e27d323e69e170217db2b
SHA111e34cf6d8553a0a4767012b33f700040f331561
SHA256b6b0a4a7a5d52e840c2040230413242c3b0e2ee70a743de8a9682a2997636507
SHA51253aeb0143518f1a8dd34e654e0aa23815ae44d793c33066b8b07796f3ebe9f91ceb11ba8e52a6a92ad139caf012a25394ba424347329510e2287186b21c07ecc
-
Filesize
171B
MD5b4e7397d11ef9b276fc9fbe4981b0d0f
SHA19206a7eaf9925e9d8a9a7a50ba52360832f22ed6
SHA2567fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2
SHA5127698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9
-
Filesize
203B
MD56919fb1c5518a212545be20dc3f8cb68
SHA16b56462b7bc271339afe0213d4786d026e983886
SHA2568497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b
SHA5127b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e
-
Filesize
3.1MB
MD571485ebd8baf7e0eb7f066df8f11fe47
SHA1e70c04950fd61da353ed71d7b1065f36f33f9ad9
SHA256f09b19fb5390b22eb7583f607ae486e20e6a60c5d6aba9a979bddb11c1a68f50
SHA5127542a60df75405cd63346fd3c4c6f74c6338597bb8c535bc3a5e1563940a1d044b8c8abfc0e14a96af686c8b710c3488eb436fd9467f76f15d60857fc11b616e