Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
Resource
win10v2004-20241007-en
General
-
Target
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
-
Size
2.6MB
-
MD5
38c782e87792354ca420f178655dfaf0
-
SHA1
55a9e267dda831d2f8fa98094e6ef04442c51bb2
-
SHA256
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604f
-
SHA512
acb6c699271127b8f9d38604f28388f924f8f7b93d0ec4e3280a42d6c0f7229c225ff4224d52c46510c8abfe17bf663d02103d4b561847ab20a226f64340f220
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2764 ecdevbod.exe 2668 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUO\\xoptiec.exe" d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIH\\dobdevec.exe" d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe 2764 ecdevbod.exe 2668 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2764 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 30 PID 2756 wrote to memory of 2764 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 30 PID 2756 wrote to memory of 2764 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 30 PID 2756 wrote to memory of 2764 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 30 PID 2756 wrote to memory of 2668 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 31 PID 2756 wrote to memory of 2668 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 31 PID 2756 wrote to memory of 2668 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 31 PID 2756 wrote to memory of 2668 2756 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\AdobeUO\xoptiec.exeC:\AdobeUO\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e3c1e18d7770dd893aa942c9aecc4dc1
SHA18adf83645cf43a82cda77bf18d759a37e4ad54df
SHA2565b8be73bb804b9ca4c37d5459b2c0169da52e4ad81ee12172845ea4a33d90525
SHA512534642203718bf2987c9ba3ad14ccbaba203295936a70dea0d2087ce906fe72fa2864588cadbe8b211cdcd8a247aebe86b466d7a4476f58100c1a9e2368bab25
-
Filesize
124KB
MD516c54a64187790732bdf14c743e75567
SHA1cd4508cd11043066a0110db280963282bd8e63b4
SHA256d1d257486204cfa71efb312a88c94657525696c9ef867ae06728f605f0868201
SHA512433466abc27394a54bf1f98aaa193d32b4228ae55e6a27028a8940b3aa0f4442515304e2deb1bd5ceb1f246c9a03d772e25a864af733ef386bfd15b53b232154
-
Filesize
2.6MB
MD556a7de17573464ed782da58d2969bcf2
SHA14b0c65c9d7dc2982402361ffa09eaddc1bc87d61
SHA2566210a5d3ca6df722f01bcccfeb1ac9d2fac85fe84488850e08eb1f70c8e5331b
SHA5121863b89353604e62dd267761e96146665f92676fa4af7b59226421f9779b6f453caed88396025dfd294c28267fbf7fe7a293de3bb7a07e79e37c057725c7e40e
-
Filesize
171B
MD50c61154b9ca7113fcbe6c2f4c67e15c3
SHA1851d65913064140c8ea4c0d96a21812da2cd5fe6
SHA256f2d73691031bda161f82e28e858ae6bf0c5c38f85db7974b421938521542f2f5
SHA512211a629fecf9d224545d7a30fc170c8c7f5a016062dae3ca42f5047528fa3d1ee935a1e4cac4922e9f59533f5605e5f30463b26975e60c28faca34d2cbfde053
-
Filesize
203B
MD516f60b429e68d5719235976ce06e65f5
SHA162d31d5967e0a783935016695d858a8495e3090e
SHA2561289172641c63b485add18a9588fcb94ce23e802c5c9ab5e9170819220095b67
SHA512b53e1fa10b4f9d1f22d421f43e897fe892d382133d02a71f01e27a16216dd90f5035914a094da30ef00bcab8eef9b0e92eb85a47e4d025f996580a14d009fefe
-
Filesize
2.6MB
MD5c3d24a0e487ca5b5604bee9b5701be2d
SHA14890aa1af630336fbde43031803e048ac3f07911
SHA256b8d75be3b5bb0541eea5bcdc5e59c5b9db87688003a264a3dd179c5b667b9939
SHA5127c9fbc04f33a6cbc98a5ea136c21d7a09880b49d95fe880795771d30799d9fb46e22e74d3512e2e67136af3d810d1194f48a8abca5049880be90423fecf75a82
-
Filesize
2.6MB
MD51eedd30760f00ef950f4c8ef01d4e2e3
SHA16d7d79c03fc6c13c40ee8591d5e86b2e3b9a0ff0
SHA256809c349c8be486e55017cdb0106b34cfc62929a7ffaf330d9c7af4f4f4bea232
SHA51272aa0ccfd480b1581a5455d9eb911b851eed7db70386a8c71c77313da41496849be94e45c16411b5c2d97efb8ab1ee3e2719f258d92e36fe9e85c79f505ba9f2