Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
Resource
win10v2004-20241007-en
General
-
Target
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
-
Size
2.6MB
-
MD5
7c5ec4cf4d8f7aa0c39533542cb75190
-
SHA1
21d9fcd8da84e8890c6aa625cc0aac4bff1ea977
-
SHA256
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89
-
SHA512
0f7924e7011e38a6a86157907a501e9ffec1a75d5cd0477e8e23b169d345a059e23f91d4efbc9227e530905337f3aaeafbed81677885d95f8582da1888b11d2e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 ecxbod.exe 1308 devdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZC\\optixec.exe" f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1E\\devdobsys.exe" f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe 2544 ecxbod.exe 1308 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2544 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 30 PID 2100 wrote to memory of 2544 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 30 PID 2100 wrote to memory of 2544 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 30 PID 2100 wrote to memory of 2544 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 30 PID 2100 wrote to memory of 1308 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 31 PID 2100 wrote to memory of 1308 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 31 PID 2100 wrote to memory of 1308 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 31 PID 2100 wrote to memory of 1308 2100 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\Intelproc1E\devdobsys.exeC:\Intelproc1E\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD538df838ec7348d7c5bef329612675002
SHA13563d8896a3d67e856f8175cb1e2f558efe123b0
SHA2564675f8dfccce5ddd59a1a88cf5ac0790242e0c934e191d8f09aeffe9db5df3a8
SHA51221fa247ba1ecadae805b9608b25d04fa95ce977aef53710e766e14e1946afb24ca60a2db58183de27a9d16ca2dfb00001e12616cc82292afe4143d1f09c07581
-
Filesize
2.1MB
MD559feb39f95b809ee69ebb18cc032a9de
SHA1d1e25d355e0dfbe4741a216b04f89914186a3be6
SHA256cf321671a0681bdfa8669e62b96c981934024baf3e960310ae8617f955ef2ef0
SHA512bc3d6ee2d8666460da3fbbc40cb215df782e13b1abe0614ba77680b01ed1f50ce3493c8e7a9028cc82e9b782d0a717ca53ce6a08bc38e1c3d2404f326b634c23
-
Filesize
2.6MB
MD52c0587749a273b7942fb53b32e8f00c2
SHA19ebbb7a842022c70a67f7f18a8e356c9bcc768dd
SHA2567800b3dba1ffe9ae409d1e0a63f318ba4f8e294534b3a9cf7dc5cb60a7b101cb
SHA512cca9644c610afdff3809d34011edb3162ce276847a07d22624daeb6ae1cba9d91e9443f5485cc84cb57bbddc07874170033e89f6bec8112a6bf68c5c67566475
-
Filesize
173B
MD5cec03702672449a152529efcf5fe1f6e
SHA18c8dff3dd43a46b908976601a09dd364275b3391
SHA2567b3e650339e8b96315ca1fa60d207009080765cdd6a1fc3bcdcb7bffb267ea4f
SHA5120821aad878f221b2a21645609423286f83145338cc6a0c9354d157ed904b1a1e3552506e11e0d9c363a6884b0e805d869b1184794fd317ca1c1655044c11a8ab
-
Filesize
205B
MD5e54a91e36bb15aba4982f93b957539ff
SHA153434d4c206381b818903f495f254ae0df8ff527
SHA256ae3018e99941c8e3b88d9d4c2905c2ad9e76d0a94e6da5034716cf0e284023ca
SHA51275c0daac721ac7972144e0a6099f72813f83e3ec769f9b2a6739d08f7a0cb4f4ea58371807d36adecb54dab604685b6e3ec7374b0d5dce4472320bb150354496
-
Filesize
2.6MB
MD5ffb9d6c2f0655550e2de2dd15f1d9d18
SHA1e177d68885de634ba38656b1971d92ea315a917d
SHA256846c1e19f9b88370ff3ab8c215733b3d15ee9fc38014fa33424571f51c7575ef
SHA512d1dce4bc5ae2a48d3246d73d44f92b2f247015642233bc600d275c50f3ddb23a78e4a01f1c8b6df287587a4a71d4c715c45576e632a793f5e0ed414abaabbe3b