Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
-
Size
2.6MB
-
MD5
256d5026cc9fcdb7faec3059941eb7d0
-
SHA1
79970f805838ba37ed283fd3c7245f5020dd76ba
-
SHA256
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff
-
SHA512
3ed790fc1f6dcbcb2daa2da6800f56fa77284a8a31429d7487b8c3a0ba8c4e8844b549b9dfe67d760619c9b65920c8b55f00679a4762429e4a5d2d0ff10f7e81
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
Executes dropped EXE 2 IoCs
pid Process 2884 sysdevdob.exe 2728 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVR\\xoptiec.exe" 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6F\\bodxec.exe" 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe 2884 sysdevdob.exe 2728 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2884 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 30 PID 2068 wrote to memory of 2884 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 30 PID 2068 wrote to memory of 2884 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 30 PID 2068 wrote to memory of 2884 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 30 PID 2068 wrote to memory of 2728 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 31 PID 2068 wrote to memory of 2728 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 31 PID 2068 wrote to memory of 2728 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 31 PID 2068 wrote to memory of 2728 2068 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
C:\AdobeVR\xoptiec.exeC:\AdobeVR\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ffc5d6fcc4066adf6bf1e89631522ffa
SHA16e747f56b2ee1d8227b717f6fec4792830b98087
SHA256f333b03ff48ba246eb27a47e4203a4938197333adceeeb04c7278fbc20779fa3
SHA51215c478e45554881dc3afd5664c09c2a5cc6462de56f1bff0454900ad12d3e0ffdbe0923a7b5e39cc6f1aded82c57291cd7ad104d4a1acca438647a3c09c85bb2
-
Filesize
2.6MB
MD5f6cdc83b7b8cb2f9fabb05ac2fb91298
SHA1c514c173940b24002c06e3a1b9cf3183dd60538b
SHA256915e8eaf9b4727ed524a9fe50ed9a03d97d49886ab90bb3d9605feacb9f1dec3
SHA5120141c11abba72ec6d1b94d704cfd6fbe25cbfe93652390500e455a1a8d87c32a8f8a42f91f17772884eeeb48ddbf228d8b5ad5b8ce3a622ff9d7bf58abba4ab3
-
Filesize
2.6MB
MD5a0d93c62bfe22f0d8bda734267d7a2f7
SHA170c59b518bc986cac81cc5a181db4b9635e024a1
SHA256d05c38f14d0ac21cff9c82bdc5061b764c7223ab560a27b3bd4b0a207c76bb34
SHA512820e30e33691e8a251318199971155431c260c2b8731f29d2b5adb2c90f6c2fa6fe6300ca243d0e45c4f6c91370ef92a773264b361376dd44c2dca87f96f2a30
-
Filesize
169B
MD505ec69ba5ae0a8d217c762e35de75606
SHA1dcae221f4f5b13cafbe0806a700ca63d3f993875
SHA256b2509ab34931061149e0569c6363608b019a8218b6de01d728a50689ef700df5
SHA5123bd3fa507b06785b0792eb1ea764a614719659a6225eea86080508a2e5952ef05d949de4234b173f2a639b89a509b20c949cda7a37e1a262a8e67e7672bae911
-
Filesize
201B
MD5ebd011a96fd5aa8e4e854ee7ea97ddce
SHA1606654b2b5029469b4246a94ac188e9bbbee0604
SHA256f0cc27e10c75fce16e6e1a47abc8d559cd97bf202bd2f74f584f06b8160bb443
SHA5124f214638e2341c54bf1a9f5fe430079501175b8f37d38b1bc0731b69713f1b8aded6e5f764a7dee0f7886596518c66d3c676de1e69df792eff5f0f39e6083109
-
Filesize
2.6MB
MD51ac98686c25d9f3c9ac2ed826fdf1b9b
SHA1d947c020f3dd9feffea7f7487955ac548494a55e
SHA256228204d6eff5fac80c026e3cddebe352edd33aaec2a47279805fe7f198581c89
SHA5127ec6a6a3117c481b5abbabd6f148ab587db1c9baa67ff7dd02929c379f438f110c3581ff1c4219df015dea39cbc0ec6dad8b31d76e4e9543054782583568ea43