Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:20

General

  • Target

    9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe

  • Size

    2.6MB

  • MD5

    8b73c5c47d43028025eedaec97f5c6ce

  • SHA1

    94fd2ece89f0d2c0f2ec16ed950de5281b43f30a

  • SHA256

    9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff

  • SHA512

    859a98bf38d777d28fb27b5b6da08df54b443efbb9cc9d537fff42630980230635c9a916c8847a9f9df43fb512f5c9e87c59e233108bbab8896ccae7ea925cff

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq2:sxX7QnxrloE5dpUp0bV2

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
    "C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
    • C:\IntelprocEB\xoptisys.exe
      C:\IntelprocEB\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:596

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocEB\xoptisys.exe

          Filesize

          2.6MB

          MD5

          39053d08c0de46ad50422e20f7bf0984

          SHA1

          c1f151635774d23df727dd49d0c717a4f93df878

          SHA256

          82eebf075775d329780d34a344e6d2c0a62d15a77a608e8348796e7302002c44

          SHA512

          362a38396bcb49fd5884a7bdf2ea6fdb082ea8919b4200b6995d10b8e136e6f13d554b7de7713b82533fb498b1475a7345cfee8fea0ce907d578e8d78791e04a

        • C:\Mint68\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          21724904412ced6ed1909afc0c065493

          SHA1

          3633843e9aa433a89aa824bd841109863ca6b540

          SHA256

          6d2467ede8dfe9fb788a93081f49dbe5b3e29d27e1c952940360672c9fc35468

          SHA512

          e55433779d916a7f1848baba58e60af3b8ba0eab438fd7dd00ba76a8fcd0d728822703e662d3e55373cd753d4efc8f0867af55f11a86fbf5664318a25b82df66

        • C:\Mint68\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          963c50449329f83f2066c5bb0a1785cc

          SHA1

          cf8d9ef243caf8cf2b18c5fb23cd0b72b5d826b1

          SHA256

          03e95f353f16e632dbf6f5e997a10ee8db10896b8134ec01c0552028b2e87202

          SHA512

          c2c2f4110fbc5ebd7fa3c27e25e256f3bc22ec169bb1c591ccff9c4021fa1d1d31b7fa9c229124457a40fdd3f6880765233895e0883ab0202b169f2fccd0a671

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          176B

          MD5

          4e250eea6d637519d06bd3ea2e364c82

          SHA1

          d77a819b2ceed516bda6b5d9e37bc9a1d986ba61

          SHA256

          c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd

          SHA512

          ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          208B

          MD5

          df1cf93acef6bbb50eb9363516f2b378

          SHA1

          7cd95835b17875e0c0e39f3aaad16f759542bc9d

          SHA256

          3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1

          SHA512

          d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          f7bbbe63d08cd2c4f03f1410c03babe0

          SHA1

          78d6b554738ac14676d7983685604804f2e3c85d

          SHA256

          4ef111329dbd956b9ee54e8ead92a5d6d599acb3c78e3626f2d0a08f4f580e00

          SHA512

          99bedb97a9316a71881c3aaddc87955e07d4c11ec869655622cb4babaa5d42785bdd9ecdd16dbc906c9a7793fae3dcad45f22c9a197c308c948c58370210f8eb