Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
Resource
win10v2004-20241007-en
General
-
Target
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
-
Size
2.6MB
-
MD5
e38140640c98a63a8f77a11318314497
-
SHA1
04eaa25131abcde8ba90647f08998b2f0b550034
-
SHA256
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1
-
SHA512
43d60cf61ded1b731022303b85e641b80f4bb4da3400d65d5e9f53ff7d9956d7bd9dc57f16ec41ae13f881e757c4df5ce4d7b84c04c14a85331388b51f5b6e64
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe -
Executes dropped EXE 2 IoCs
pid Process 5012 ecdevdob.exe 1572 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ8\\xoptisys.exe" 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint21\\optixloc.exe" 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe 5012 ecdevdob.exe 5012 ecdevdob.exe 1572 xoptisys.exe 1572 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1848 wrote to memory of 5012 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 86 PID 1848 wrote to memory of 5012 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 86 PID 1848 wrote to memory of 5012 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 86 PID 1848 wrote to memory of 1572 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 89 PID 1848 wrote to memory of 1572 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 89 PID 1848 wrote to memory of 1572 1848 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\FilesZ8\xoptisys.exeC:\FilesZ8\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ae95fad4fb3d05b8aff223d5469361d6
SHA1e8139931f3f192d6b860503f6138859d9eed0369
SHA256601cde37eef8a98dd7ac0bb3ad8cc697d5eb72a65e557c8e0e654e509edd7f33
SHA512f267c43b59f50b6b605d3ff6b02a567d48122680f4b07a427a7fec62c1c8399de563725582c7d1326b31bee7deb7cb2f76d1aa8965b8ed161bd14762becef09e
-
Filesize
2.6MB
MD5bb2583d5d65672c0c920009cc0131d97
SHA115fad637a492850f275e6fe6eb5c9ecf90f19495
SHA25690be6b8ef9515d60ca46443c9119b7c2cb0a07f1aa3a0d9cb5de0f5559378ee3
SHA512b66a11930b3c62cc0ce897dae32b0a80376d33f5512b70f9981af2b1f0a2d33d26ccaf5efb92abcf6d2e7d059bc48609b624bf5c5f56fe655ef0bc77792aef71
-
Filesize
7KB
MD584c3a9ef71c6c32cc10faa7a3122fe8d
SHA144094cadec949c065d4321a4cb7bb4c11cd999f9
SHA256de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b
SHA512f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a
-
Filesize
203B
MD51560cada12c7c8047dde7ea7f16c6318
SHA1aea2a0cf12cd10c7fe6a56f8a510b95ae8510669
SHA25643b988bd361fd0ab31ff17b045747fa131561e78bb8184e52ab6c9f372f53ce0
SHA512b24ef4f36146c76a78e1829f859211576d90755c4d5df699a8e7713c2c921efc0c47a094ef2c8a605aff478bd222fc66852d828503b4d74eec7d0cc7401701f2
-
Filesize
171B
MD5e4c7a332abd40fa8a7ed3d3e9df35a1e
SHA18782de0e487034c644bd9a8dbe453f287278f834
SHA2568efe758ab7204bb1edb71dbd6e5bd057669928535400451d68be3401a0076ff7
SHA512b20e631f046a9e0a05ff82cb73d8f88107e172b3f87196068c78063d353e523e154059bb5bac12a316c9d3884025e3ea98db1ed0e1bce6f1aa66e2e227b8d56c
-
Filesize
2.6MB
MD5dcdbe7d174fd13cbe62cd789322df76c
SHA1c3343464c06cc3d6b1b5fb58df226520f6c10262
SHA256129bf6b5e706ad8a0cf213a0e312683fff070600ba68159dd49dc9ed3fdaaa2a
SHA512e17397118592984bc560119fe4f7bef384c84e0aaf62babd5a9ae573f454a719f1a198750faf6a198607abc280ef2b75aeecdec25c137cdba7d902e648d1f27b