Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
Resource
win10v2004-20241007-en
General
-
Target
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
-
Size
2.6MB
-
MD5
20774abcb3137c180673bf29c1e0e420
-
SHA1
e0ea9b3a5c455bea85fa7ce17cd37fd3413e0028
-
SHA256
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4
-
SHA512
962ced127ef0b1447572b45dae015d80e4ad05932b3f15acc57d396b9164c7d27a80bbb09cd41ca68b1b2e87540e010f52aa2d2e96c5344850a365ea4c88925b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSq:sxX7QnxrloE5dpUpKbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe -
Executes dropped EXE 2 IoCs
pid Process 2192 ecxopti.exe 624 devdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7G\\devdobsys.exe" bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVH\\dobxec.exe" bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe 2192 ecxopti.exe 2192 ecxopti.exe 624 devdobsys.exe 624 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2192 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 88 PID 2864 wrote to memory of 2192 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 88 PID 2864 wrote to memory of 2192 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 88 PID 2864 wrote to memory of 624 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 91 PID 2864 wrote to memory of 624 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 91 PID 2864 wrote to memory of 624 2864 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
C:\Adobe7G\devdobsys.exeC:\Adobe7G\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53713bffa5fd98c4044cf947d6ea41029
SHA11bcf0dfdaf95d3d5fdedf9d83c81e1984519c387
SHA2567a6f52d189add57264b2b6ed797c1c411445add1dcbcdeb6cb672330ecaa3d3f
SHA512eeb689fb321438b1482093b3d8235d09ffde4ad10190a8fa6f8fb51a9854390329dfcf87e766795d199b3e656fdb7b4999a6336ee03f3166deeff630729e41cb
-
Filesize
1.1MB
MD5604afa17fbdb1791b36b5f50f23482f5
SHA179b50e4033617b081255477607dbd71ac59d0ac2
SHA25660a0ead0a8d2602ce473c97125df06f5de6e1af700a1308e6180df9a5c93fd4a
SHA5129bff8c91100116b2870f9bc2497cd9407ddffdd7e52dcf437f8647ad6912bf758d1bab7f7a1b3c89d4407529171351ff88fa338757f8cffde8fc6aeeb7edcd2c
-
Filesize
1.9MB
MD5f6f72808aacc8d085b0a0849252fc00c
SHA15a879941c47e0b12187deda0ea66c150a5290259
SHA25698247ede96b73a498f5484dd43bd638c6ac7cd7ebe23056b23ec0c23090ca6fe
SHA5129ac127f20fb7e83e1f28f37355192cc9925c5ab2742ac7c406ce86f88162203d02b00355a8475e889df696f8ee0ccd8a411d2aa75d94fad4eed2484bde07da2c
-
Filesize
201B
MD5277baa1dd248cce4f5eadc90221b0546
SHA13e2511de4fc1785cc4bee5daeeda927305d3e6a5
SHA2562c3721f8917018cf51eabbfc6a33ce90beae7a986e432cdccaa1b7ce736be456
SHA5123f406d0baa68379fc2b2e195a0df2008cde9de13a2f3f3440600caf2e690a282344a7362d9f37dd1e5914492cb8ec38aab1423c7dd13e13f9c6f512a3d3a84f3
-
Filesize
169B
MD58f32c01a56039f80ce803f6ac3b6c804
SHA1357625cdafe915a8a0ad884eb494ebc64b2cc1a5
SHA256814b01fdf5127b45d0e2d52cd916c1d02f0615869237a097df9e104e9ba7aeba
SHA5124d1a4d19a586999169978978b61a943f52e80f3c259ecfc7590cdd512556390f9cfc769b38faf1b7a642987a7b5a2b5950b0da7502bcd7cf975333ae4faf94c0
-
Filesize
2.6MB
MD50e4559b8c8e55deb37f05a71719f7b40
SHA121850bc6ba7eb27a84305103a4a652ec76aac449
SHA256e3691b6934697982c292767dc0f0c024b3453e3e50c35d70a07eec5256063d97
SHA51220edd8e76549946c43dafe62bc9d4f49fe19b8c8084a1a6ea27adae5580d0ccc20ca10d845cc728ef4cb8b48a0abe7616e350c06c089149a29bd3a2cb25ad34b