Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
Resource
win10v2004-20241007-en
General
-
Target
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
-
Size
2.6MB
-
MD5
8b73c5c47d43028025eedaec97f5c6ce
-
SHA1
94fd2ece89f0d2c0f2ec16ed950de5281b43f30a
-
SHA256
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff
-
SHA512
859a98bf38d777d28fb27b5b6da08df54b443efbb9cc9d537fff42630980230635c9a916c8847a9f9df43fb512f5c9e87c59e233108bbab8896ccae7ea925cff
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq2:sxX7QnxrloE5dpUp0bV2
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 ecdevbod.exe 596 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe" 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe" 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe 2544 ecdevbod.exe 596 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 592 wrote to memory of 2544 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 30 PID 592 wrote to memory of 2544 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 30 PID 592 wrote to memory of 2544 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 30 PID 592 wrote to memory of 2544 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 30 PID 592 wrote to memory of 596 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 31 PID 592 wrote to memory of 596 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 31 PID 592 wrote to memory of 596 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 31 PID 592 wrote to memory of 596 592 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\IntelprocEB\xoptisys.exeC:\IntelprocEB\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD539053d08c0de46ad50422e20f7bf0984
SHA1c1f151635774d23df727dd49d0c717a4f93df878
SHA25682eebf075775d329780d34a344e6d2c0a62d15a77a608e8348796e7302002c44
SHA512362a38396bcb49fd5884a7bdf2ea6fdb082ea8919b4200b6995d10b8e136e6f13d554b7de7713b82533fb498b1475a7345cfee8fea0ce907d578e8d78791e04a
-
Filesize
2.6MB
MD521724904412ced6ed1909afc0c065493
SHA13633843e9aa433a89aa824bd841109863ca6b540
SHA2566d2467ede8dfe9fb788a93081f49dbe5b3e29d27e1c952940360672c9fc35468
SHA512e55433779d916a7f1848baba58e60af3b8ba0eab438fd7dd00ba76a8fcd0d728822703e662d3e55373cd753d4efc8f0867af55f11a86fbf5664318a25b82df66
-
Filesize
2.6MB
MD5963c50449329f83f2066c5bb0a1785cc
SHA1cf8d9ef243caf8cf2b18c5fb23cd0b72b5d826b1
SHA25603e95f353f16e632dbf6f5e997a10ee8db10896b8134ec01c0552028b2e87202
SHA512c2c2f4110fbc5ebd7fa3c27e25e256f3bc22ec169bb1c591ccff9c4021fa1d1d31b7fa9c229124457a40fdd3f6880765233895e0883ab0202b169f2fccd0a671
-
Filesize
176B
MD54e250eea6d637519d06bd3ea2e364c82
SHA1d77a819b2ceed516bda6b5d9e37bc9a1d986ba61
SHA256c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd
SHA512ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411
-
Filesize
208B
MD5df1cf93acef6bbb50eb9363516f2b378
SHA17cd95835b17875e0c0e39f3aaad16f759542bc9d
SHA2563294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1
SHA512d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77
-
Filesize
2.6MB
MD5f7bbbe63d08cd2c4f03f1410c03babe0
SHA178d6b554738ac14676d7983685604804f2e3c85d
SHA2564ef111329dbd956b9ee54e8ead92a5d6d599acb3c78e3626f2d0a08f4f580e00
SHA51299bedb97a9316a71881c3aaddc87955e07d4c11ec869655622cb4babaa5d42785bdd9ecdd16dbc906c9a7793fae3dcad45f22c9a197c308c948c58370210f8eb