Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
Resource
win10v2004-20241007-en
General
-
Target
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
-
Size
2.6MB
-
MD5
182f21b27e16563b886f80ef812443a0
-
SHA1
6a9337e726f7b69933e635a8110a0cf514a77c8a
-
SHA256
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783
-
SHA512
bb15152bd76248bc351705e741a412668828333bb175747b953bfcbdf3a5c9057026497acf997e23fd549ecd31fe5958256a9cc12477bc025791f2947b636190
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exexoptisys.exepid Process 2544 ecdevbod.exe 2176 xoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exepid Process 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe" c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe" c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exeecdevbod.exexoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exeecdevbod.exexoptisys.exepid Process 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe 2544 ecdevbod.exe 2176 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription pid Process procid_target PID 1916 wrote to memory of 2544 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 30 PID 1916 wrote to memory of 2544 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 30 PID 1916 wrote to memory of 2544 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 30 PID 1916 wrote to memory of 2544 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 30 PID 1916 wrote to memory of 2176 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 31 PID 1916 wrote to memory of 2176 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 31 PID 1916 wrote to memory of 2176 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 31 PID 1916 wrote to memory of 2176 1916 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\IntelprocEB\xoptisys.exeC:\IntelprocEB\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD579d383e3d531e74d350e470ee0e3ed83
SHA1dba6dc9fce16b7b339b7e7b8ec4aedda84c92636
SHA2564cfcf39782a4209f3ec1ea0144ed2fc189ce42fdd173e2830f7a109997774aa0
SHA51278f1c9854ebf99154dc2215f3a16dad29ee53e6ff6d4f0e6c2ce7b715662e509931aed3a6bd36b4a5539472004478bacb27745b15035a72b42bdde718ecd9560
-
Filesize
2.6MB
MD5c369d3e671b551eea36b38784e7f3537
SHA196e02004e8abbbe93477d2f0e85138511c39da95
SHA2567efe999b04ea71ebe5939505bd7a516e907fb86642279133b248c542e14d951e
SHA512d2125acad9293a313af8d5c5aa7278eeb068819a978bafdb00b83e455ef596d8277f312c7eded80142062670e1f3ccb16ec827154c4d54404b437d9b7ed5ee2a
-
Filesize
2.6MB
MD551626a14336f53650899b49b1f1a0fbe
SHA1fcd89c2275e65ed505a6221f9f113c3825b00a80
SHA2563d7c19b0a5abd14cf56f2752b52bab5ca74426278c7ee4bbb25af35482fd80aa
SHA51250ce7bc374185cbaaff7632b6820905651c54b2d705ad595ceda59647e7bc6313ec59ce8834f48b27c4610ded74c97daeeaa7fe566f0073d4b3977e5ee326e22
-
Filesize
176B
MD54e250eea6d637519d06bd3ea2e364c82
SHA1d77a819b2ceed516bda6b5d9e37bc9a1d986ba61
SHA256c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd
SHA512ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411
-
Filesize
208B
MD5df1cf93acef6bbb50eb9363516f2b378
SHA17cd95835b17875e0c0e39f3aaad16f759542bc9d
SHA2563294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1
SHA512d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77
-
Filesize
2.6MB
MD553a8ec62937901395ddd3c777656fff0
SHA1fbe0057feddb6b63d1ee26d5fc7358b2f48af8f7
SHA256cde16c363af1a76d5ff3cc1053bbcc1602cbe8691506f16253155c664bf673d0
SHA512e04c7e68a816604bc7772af48780e4f305c5780e5663f76f2795e9a80a0d22ad34aaa4cbaa25fad8d964415a80cb7733b81f9d5f3d294977fc88189aa6dbf2db