Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
Resource
win10v2004-20241007-en
General
-
Target
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
-
Size
3.1MB
-
MD5
77a1409ee27e5a0ce31964df8e2bd69b
-
SHA1
356f89bec6c0d05cbcc6ddc6f505086cc3a5903f
-
SHA256
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d
-
SHA512
cd9058cc3f0301fa9038a2e303831bc17067242d04a35a2e5aa5ecc508911410461f2254548be443d0a7bbba6f8e9e6d5f29e642ec51dc9e6f4557e276a13ec1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqIM:sxX7QnxrloE5dpUpSbVz8eLFc/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exexdobsys.exepid Process 3036 ecdevopti.exe 2932 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exepid Process 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\xdobsys.exe" 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU8\\optixloc.exe" 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exeecdevopti.exexdobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exeecdevopti.exexdobsys.exepid Process 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe 3036 ecdevopti.exe 2932 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription pid Process procid_target PID 2976 wrote to memory of 3036 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 30 PID 2976 wrote to memory of 3036 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 30 PID 2976 wrote to memory of 3036 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 30 PID 2976 wrote to memory of 3036 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 30 PID 2976 wrote to memory of 2932 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 31 PID 2976 wrote to memory of 2932 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 31 PID 2976 wrote to memory of 2932 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 31 PID 2976 wrote to memory of 2932 2976 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
-
C:\FilesST\xdobsys.exeC:\FilesST\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54ce85c6ed15b5cb55ea1e2bc3ef05382
SHA1b5ab89cc8094c245fad881e14e76ff79effa4ce4
SHA2566f19875cdefd9b9a85173704094c1603d1d51f6ce2a14744876799e558a334a0
SHA5128fd21de12eddf29b5ee814b2dadb6e2fa0752be2505d22163a27e9a10eb95472370f45559eb30e44a047226deec1c1d49b26b3be8a9f41b27c769d84e2d6bf1f
-
Filesize
3.1MB
MD571f3018b58c711f991078e7960beb296
SHA15b1f336885b3c3807f2ebe42ae38082c83c56447
SHA256da95366de0803d3aa164414e276b2915703e39d87f640c8b51e690f1c48b78ce
SHA51212066556dcbd8470b27453330b3239a6d028ae02f1823be599cd37dc4898d8f8bf36998a22023b14699b48218bf352a79dda622c439b7d0834f82cfb5c8fb273
-
Filesize
3.1MB
MD541ab4e1276cac56848e5b08f41bb54e7
SHA17dad10488a92b71b57d92643ab54c36a7a675100
SHA25604bf27f09306ad74f52d4271b2a05c169077b915e18e72791c3ef085e6aa81e8
SHA51258923c44c7a54c2b79585aaaeeb842a096e01fb37cdb40b58809579d4cee89c0538c4632b49632ae4783f1e44d6b53ede11d265aa1793d9e4e64116f706737bd
-
Filesize
171B
MD5b4e7397d11ef9b276fc9fbe4981b0d0f
SHA19206a7eaf9925e9d8a9a7a50ba52360832f22ed6
SHA2567fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2
SHA5127698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9
-
Filesize
203B
MD56919fb1c5518a212545be20dc3f8cb68
SHA16b56462b7bc271339afe0213d4786d026e983886
SHA2568497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b
SHA5127b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e
-
Filesize
3.1MB
MD55b72dc17685d8f8b2792e2844a592b72
SHA152ccc79fc1ef8533fb3c0bb2bcb41e9c8074894a
SHA256720cd7f39d3ba938c5363b95db52caca2ed35dff245ae46caf274bf213f8bc3a
SHA51217790b4ec5b789b726d9fecde4a02966ccd39ceb2e15a094f4a823331f1ae10dfbfed6ca0d99f8c158033c356698159da6326662c7646b0c50350645529a34f3