Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
Resource
win10v2004-20241007-en
General
-
Target
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
-
Size
2.6MB
-
MD5
3e8d70a4fb9d4311e9399dc20cbffe51
-
SHA1
14c00f90eb01c6b534e4f8add39293875d11c8f1
-
SHA256
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f
-
SHA512
29c9fbb7e6b213eefa51cdc6e3d03592045aff956cbfba22df84fb52fcb60156acd8c5e7e0e94d95defbb5cfa92e972ff0d94bed0b3eece78b33ebc2186de9b4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe -
Executes dropped EXE 2 IoCs
pid Process 2368 ecdevdob.exe 296 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSG\\devoptiloc.exe" 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBR\\dobdevsys.exe" 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe 2368 ecdevdob.exe 296 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2368 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 28 PID 2856 wrote to memory of 2368 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 28 PID 2856 wrote to memory of 2368 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 28 PID 2856 wrote to memory of 2368 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 28 PID 2856 wrote to memory of 296 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 29 PID 2856 wrote to memory of 296 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 29 PID 2856 wrote to memory of 296 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 29 PID 2856 wrote to memory of 296 2856 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\AdobeSG\devoptiloc.exeC:\AdobeSG\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d5d8c51b2fde8a110cda09c14c77cb92
SHA1074015d597c2f59ddcfd8c68421f1e53a5ce68ff
SHA256f3065b774b89b5ab34ae32feab7549c491dac36e923f375172dd78da2a4c6ae6
SHA512cb62bc421c9897e5ae0da4fee097c3c76ebfa252beb3c0bcd20386dc5409ee5e1cb77d9e4e5fadcbbd19b424abd75d31cece919eca22470591626706a44dd4c6
-
Filesize
2.6MB
MD5e0c7863a3f3d9b89e39b3713a7a24f1f
SHA1afcf273b40c4fad21d8db58cc9281afcfdcbb756
SHA256e5502dc0c28c3f4a460af1cd2726d1764f403d9c615d9ab94a2d959de085846b
SHA51249b2efceae3bea21d42dbbecb688121ca5dc89f0564bb00c52672987d1737b6d94179672620c799e3c7c18414b0e3d8029369d4f16cea1107dbec7baa1618437
-
Filesize
2.6MB
MD5f1aa967e87f59b6b6f57dace67a352ab
SHA11c95c5481ade9f57ac03e4c115ac3cfe83301cd9
SHA2569468e3a56ecb8f9f050bf1e338d1c5cf3c29374a825335de73871e6b4a16ff50
SHA512fc28831ae142841d0c430fed5bff8e2540fe9521ec1a9b0512ec8da60bbcc7fa9c81712149102946e414616fcef99d27aae37ea640eb159bb1cc348522c1468b
-
Filesize
174B
MD5cac17bcafc887d5bc5508b5eab8f57a7
SHA19b003a9e3f7a5a2612fe5c1a6509d06ae63f23cf
SHA2568f95ee50eb5662b1707ad6a13613df58b452a1f7286c60d4a068c64f8934e925
SHA512f080b0f963930f733cb04dd44eccb4034b08345b801601abfe4b745c7c30cb7684c5006033e909338a144774830448c21eb45812b5e0f3ab13d87ef34c795daf
-
Filesize
206B
MD595ef975e41c91f9eac483d77b6b3938d
SHA1ad9852caaee53c6b24f08ec9140b88e821faea3a
SHA256e700ca62442fd70ba3dae1955a9ca3a7e69e7247aa2c714f8bc7c75eb2a202ac
SHA512a2cee6e314bfa848e576a5e32fdbd46bf4659dc62c26b9973e87ed268bbb44308fe56e33c3613b1d132dcd0a113e9b49d565560365fae6b9a3fda0a9a8a28f6b
-
Filesize
2.6MB
MD51cfe43a3090e04b65bdccfde99cfa8ba
SHA10e2b41c8bbb3165723f5c4ac10504bfa765baf6e
SHA2564761f6cd6acd7e6285574cd75fdaa49369f092621006171b71e228b23ff1ef8e
SHA5127f9ef4e0045be189233f6e2465879bdce3188ac6a25d1346f523743fe4a0330c65c27e32ac12275c15949bd81a6560f8fe7d1808350d8fa97a2fe6e4be014111