Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:07

General

  • Target

    17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe

  • Size

    3.1MB

  • MD5

    77a1409ee27e5a0ce31964df8e2bd69b

  • SHA1

    356f89bec6c0d05cbcc6ddc6f505086cc3a5903f

  • SHA256

    17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d

  • SHA512

    cd9058cc3f0301fa9038a2e303831bc17067242d04a35a2e5aa5ecc508911410461f2254548be443d0a7bbba6f8e9e6d5f29e642ec51dc9e6f4557e276a13ec1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqIM:sxX7QnxrloE5dpUpSbVz8eLFc/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
    "C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3036
    • C:\FilesST\xdobsys.exe
      C:\FilesST\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesST\xdobsys.exe

    Filesize

    3.1MB

    MD5

    4ce85c6ed15b5cb55ea1e2bc3ef05382

    SHA1

    b5ab89cc8094c245fad881e14e76ff79effa4ce4

    SHA256

    6f19875cdefd9b9a85173704094c1603d1d51f6ce2a14744876799e558a334a0

    SHA512

    8fd21de12eddf29b5ee814b2dadb6e2fa0752be2505d22163a27e9a10eb95472370f45559eb30e44a047226deec1c1d49b26b3be8a9f41b27c769d84e2d6bf1f

  • C:\LabZU8\optixloc.exe

    Filesize

    3.1MB

    MD5

    71f3018b58c711f991078e7960beb296

    SHA1

    5b1f336885b3c3807f2ebe42ae38082c83c56447

    SHA256

    da95366de0803d3aa164414e276b2915703e39d87f640c8b51e690f1c48b78ce

    SHA512

    12066556dcbd8470b27453330b3239a6d028ae02f1823be599cd37dc4898d8f8bf36998a22023b14699b48218bf352a79dda622c439b7d0834f82cfb5c8fb273

  • C:\LabZU8\optixloc.exe

    Filesize

    3.1MB

    MD5

    41ab4e1276cac56848e5b08f41bb54e7

    SHA1

    7dad10488a92b71b57d92643ab54c36a7a675100

    SHA256

    04bf27f09306ad74f52d4271b2a05c169077b915e18e72791c3ef085e6aa81e8

    SHA512

    58923c44c7a54c2b79585aaaeeb842a096e01fb37cdb40b58809579d4cee89c0538c4632b49632ae4783f1e44d6b53ede11d265aa1793d9e4e64116f706737bd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    b4e7397d11ef9b276fc9fbe4981b0d0f

    SHA1

    9206a7eaf9925e9d8a9a7a50ba52360832f22ed6

    SHA256

    7fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2

    SHA512

    7698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    6919fb1c5518a212545be20dc3f8cb68

    SHA1

    6b56462b7bc271339afe0213d4786d026e983886

    SHA256

    8497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b

    SHA512

    7b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    3.1MB

    MD5

    5b72dc17685d8f8b2792e2844a592b72

    SHA1

    52ccc79fc1ef8533fb3c0bb2bcb41e9c8074894a

    SHA256

    720cd7f39d3ba938c5363b95db52caca2ed35dff245ae46caf274bf213f8bc3a

    SHA512

    17790b4ec5b789b726d9fecde4a02966ccd39ceb2e15a094f4a823331f1ae10dfbfed6ca0d99f8c158033c356698159da6326662c7646b0c50350645529a34f3