Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
Resource
win10v2004-20241007-en
General
-
Target
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
-
Size
2.6MB
-
MD5
f275dc4fd58a355191f68c8f70d280e2
-
SHA1
3e915e33e978db0d5b8597f60b1b845ecdadcf88
-
SHA256
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc
-
SHA512
0fc2b4f95577f4970622cf397c9302e2f59f03a8fc98a86129516b41d67c535857a5ace0082c5aa844dcb2bf50f934d9d61f8f3b514e961fd51cb5c76c87a57d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpIbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe -
Executes dropped EXE 2 IoCs
pid Process 2140 ecxbod.exe 3064 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint33\\bodaec.exe" 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNM\\devoptisys.exe" 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 2140 ecxbod.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe 3064 devoptisys.exe 2140 ecxbod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2140 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 29 PID 2344 wrote to memory of 2140 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 29 PID 2344 wrote to memory of 2140 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 29 PID 2344 wrote to memory of 2140 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 29 PID 2344 wrote to memory of 3064 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 30 PID 2344 wrote to memory of 3064 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 30 PID 2344 wrote to memory of 3064 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 30 PID 2344 wrote to memory of 3064 2344 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\SysDrvNM\devoptisys.exeC:\SysDrvNM\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5cf19b5e048af2bc4220c814fdf1cf7c5
SHA14862d2152ebc482e24de00d840b4a06c400ecd31
SHA2562871b6a285f21c592999ed747b64ef3ee19a1529a17663acd326028be3959953
SHA5122e234a66d17aa25f4338a75747d9125a28be544ec03e49de58b3b0b04466a53f891f8b17ea078c54532ba64a09f0db59805982f1512ea56f749e13e9a6208519
-
Filesize
681KB
MD525aa29c07fc174ecef23d18549358829
SHA1b53fed6ce171589af14f1e467dfeda21c2dcfaae
SHA2569d312039e170639732b40f40dac83ad56f8ebbe300c08e89032ef554a883afd2
SHA51250a8f5084c867d5adb96211f05f35f73d394df2d1493c7bce99b2801892171aee4d666cd424640062a9cb664c4e6be1c48df9be7035db76ba2667299ba5237ac
-
Filesize
2.6MB
MD574ed46df2ccf3d1b75e4d3b67a539492
SHA17b490d1225b8b3a924de6a67f6b8191544fe0f6a
SHA256759fd8effc718d28a42ac255b4b4f66d5e7e2fc67173c688601929393931defc
SHA512ed23b0219ffbfc48612c5580fa64d97b9a9bdeb86f600b02cd529d5d597d4878e7b2667cc92e31811617d685fce56f9173e613da4803da703583f4ecdeefc31b
-
Filesize
170B
MD596252d91e9553bf99cc252eea203ab23
SHA12d5adff41c57bdea337e0b1d1bd68c9c179fe6cd
SHA2563e6653869c0f6b58bb0859e964666b8dad8ba56578251653ce15b0c2aaf45518
SHA512bcc3e6cf1948f4f2ff65b8feda5d9850c47e845b49fac201db843763b650806a1ae19e5cc97f902947e703d8bed81b3d552fe683375602d57e90a69ad84d0eef
-
Filesize
202B
MD5730b79f68cb8da026309af1dee9f27e2
SHA122df0fefc3166d75de33c1f6294bcad6ba95321f
SHA25645dcbbdd0b52e42e0ffdb6911f50fc3b411e1f86af8130ed8ad6d6fb61db96de
SHA512ed9e16afd5a3356e41a84950074f26c6f2e3a8d8486f58671ba76467ea951029d4a9ff682f451f508d6cc317cd228902eeed0ed685a7127cd25425d5c19ef60c
-
Filesize
2.6MB
MD5acd3ee7536df6a9951a78c4ca62417a8
SHA1cea9df8dfb005d4a0df1bcbe47f3a63d99707bbb
SHA256f8fdb440f4064f7863d55aba585597d8d7057c2d884e559681df276b79fa610c
SHA5125245ca1cc43cf9a4baa3c40de698c608b9b55d3f3231e1f5cf4bc3356c4261d1854dd61e408e069449a6d13b3c383a55b46863aed94a12d22954c1865a56c477