Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:27

General

  • Target

    c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe

  • Size

    2.6MB

  • MD5

    182f21b27e16563b886f80ef812443a0

  • SHA1

    6a9337e726f7b69933e635a8110a0cf514a77c8a

  • SHA256

    c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783

  • SHA512

    bb15152bd76248bc351705e741a412668828333bb175747b953bfcbdf3a5c9057026497acf997e23fd549ecd31fe5958256a9cc12477bc025791f2947b636190

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
    "C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
    • C:\IntelprocEB\xoptisys.exe
      C:\IntelprocEB\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocEB\xoptisys.exe

    Filesize

    2.6MB

    MD5

    79d383e3d531e74d350e470ee0e3ed83

    SHA1

    dba6dc9fce16b7b339b7e7b8ec4aedda84c92636

    SHA256

    4cfcf39782a4209f3ec1ea0144ed2fc189ce42fdd173e2830f7a109997774aa0

    SHA512

    78f1c9854ebf99154dc2215f3a16dad29ee53e6ff6d4f0e6c2ce7b715662e509931aed3a6bd36b4a5539472004478bacb27745b15035a72b42bdde718ecd9560

  • C:\Mint68\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    c369d3e671b551eea36b38784e7f3537

    SHA1

    96e02004e8abbbe93477d2f0e85138511c39da95

    SHA256

    7efe999b04ea71ebe5939505bd7a516e907fb86642279133b248c542e14d951e

    SHA512

    d2125acad9293a313af8d5c5aa7278eeb068819a978bafdb00b83e455ef596d8277f312c7eded80142062670e1f3ccb16ec827154c4d54404b437d9b7ed5ee2a

  • C:\Mint68\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    51626a14336f53650899b49b1f1a0fbe

    SHA1

    fcd89c2275e65ed505a6221f9f113c3825b00a80

    SHA256

    3d7c19b0a5abd14cf56f2752b52bab5ca74426278c7ee4bbb25af35482fd80aa

    SHA512

    50ce7bc374185cbaaff7632b6820905651c54b2d705ad595ceda59647e7bc6313ec59ce8834f48b27c4610ded74c97daeeaa7fe566f0073d4b3977e5ee326e22

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    4e250eea6d637519d06bd3ea2e364c82

    SHA1

    d77a819b2ceed516bda6b5d9e37bc9a1d986ba61

    SHA256

    c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd

    SHA512

    ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    df1cf93acef6bbb50eb9363516f2b378

    SHA1

    7cd95835b17875e0c0e39f3aaad16f759542bc9d

    SHA256

    3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1

    SHA512

    d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    53a8ec62937901395ddd3c777656fff0

    SHA1

    fbe0057feddb6b63d1ee26d5fc7358b2f48af8f7

    SHA256

    cde16c363af1a76d5ff3cc1053bbcc1602cbe8691506f16253155c664bf673d0

    SHA512

    e04c7e68a816604bc7772af48780e4f305c5780e5663f76f2795e9a80a0d22ad34aaa4cbaa25fad8d964415a80cb7733b81f9d5f3d294977fc88189aa6dbf2db