Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
Resource
win10v2004-20241007-en
General
-
Target
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
-
Size
2.6MB
-
MD5
757fd4a96075124bd1bfe506f6fff955
-
SHA1
c035eeb5e726d7515b76a17431c63e83868bc627
-
SHA256
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7
-
SHA512
fdd75ea3a80a8eceb66da72918976c57d29b8b9c015fa212fc5041b23e54e96a8dc239dcf04a6af82332ceac6e8854eaed02581b79ea5fc7bab580f0388ab6bd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe -
Executes dropped EXE 2 IoCs
pid Process 1312 ecdevbod.exe 2036 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVO\\optidevsys.exe" 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGS\\xdobsys.exe" 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe 1312 ecdevbod.exe 1312 ecdevbod.exe 2036 xdobsys.exe 2036 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1312 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 87 PID 1208 wrote to memory of 1312 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 87 PID 1208 wrote to memory of 1312 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 87 PID 1208 wrote to memory of 2036 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 88 PID 1208 wrote to memory of 2036 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 88 PID 1208 wrote to memory of 2036 1208 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\IntelprocGS\xdobsys.exeC:\IntelprocGS\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5001678ed2caaac502a1f43861a7bb520
SHA1c4be4dbcc56ddeb94f2a9d0cf8a708fbf65b2250
SHA2560daafb97a99c5963cd974669d23ad9ffc66baf93352389b7ee855dc7f7d2e803
SHA512932e61d89afe43b28a6d7cfeb844d21934bc83351c712ed8331c4742803ac3da9aa355ab271bbc65435ca72a3a8328b18a14c45ba4893a14da26e24d503c7bf8
-
Filesize
2.6MB
MD5005d7f2bdadad253ebb2a009399b3c7c
SHA1bfd1ee4b9fcb7b8c3cd75e90c01e51e4760da6b8
SHA256eb038adbffbbccf217928a650d6d1157b3a596b673e0945802d9e691331ebbf0
SHA512b6b762d5b61e1c5de05cd69d78266c4da54201e1ee3adfe26999c0b888e22d7a4aca856625d153711dbce0b286402e5a082e6db0ad532371932951a28665737f
-
Filesize
208B
MD5cedb5fb349ceff525093d516e99e0e80
SHA1d938e3768051e563fe5dc21854af479062790b0a
SHA2568b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8
SHA51243c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de
-
Filesize
176B
MD510209582701a00f1eb4d6571a2d9c8a0
SHA137b71138880a48e7b4fb1878806cda7a84e206ed
SHA256cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c
SHA5121ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4
-
Filesize
2.6MB
MD506c5f346610ca58f13c614d7c3dc7763
SHA17a4174e2ee7677fbf52bde20cd992812e2217d6e
SHA25610af2c834476d33b9928aec51f876d2366d46d3e27a99a842bdd0b3ad9e18e63
SHA51232a7e4021b183e29ead8b4ae12a0cee7eff36a3689010b27d4cf6200c9bc306affe093d060dad3b20bbb37543a99a24612469eae0f61a7489feff6da644c5d1f