Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
Resource
win10v2004-20241007-en
General
-
Target
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
-
Size
2.6MB
-
MD5
cbfa0825412a6ad9f76f895b18c4f320
-
SHA1
5f2d2327b8cf845bad200996b915ed10445834a2
-
SHA256
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5
-
SHA512
22302470b7583aea038d0c24406155167b04d02802b5fc162997033ebc12a5ba714e42392285fe770daa074641a3ea65786bafb9c997c4ed2cc6b755740bac93
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpmbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe -
Executes dropped EXE 2 IoCs
Processes:
ecadob.exedevoptisys.exepid Process 2904 ecadob.exe 2828 devoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exepid Process 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv61\\devoptisys.exe" 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCN\\dobdevloc.exe" 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exeecadob.exedevoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exeecadob.exedevoptisys.exepid Process 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe 2904 ecadob.exe 2828 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exedescription pid Process procid_target PID 2768 wrote to memory of 2904 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 30 PID 2768 wrote to memory of 2904 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 30 PID 2768 wrote to memory of 2904 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 30 PID 2768 wrote to memory of 2904 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 30 PID 2768 wrote to memory of 2828 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 31 PID 2768 wrote to memory of 2828 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 31 PID 2768 wrote to memory of 2828 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 31 PID 2768 wrote to memory of 2828 2768 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
-
C:\SysDrv61\devoptisys.exeC:\SysDrv61\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
301KB
MD5fcfd4110e9ff4ac46089874d92e190da
SHA1a9c5414eeaddc052bab47a17e6bf2728c0e27a73
SHA256474ec594f6750ec293c5581b1e9ab829a97247805fd547c287e0bbbb9e1f57ca
SHA512f397338328046e24f8293fc15d11558741ff43e3a00bb7a37e35f4e0e45590cf4fd44a40880fdac4391a56d8e7db98281d81ab3ecc486884ae8f01e8932e561d
-
Filesize
2.6MB
MD5fcfb6dafd0a9ed5def05bf9afdd436c1
SHA1ddf8550483498366dec53ebb6057514de974ad1a
SHA25696c1352cd4087983e6e0979d6602024f2ca3cc1b80c7e2f0d05bd57f0e40df6a
SHA512f9dbf0f62bf32a046645b01182615666a4902352a6ed7d8a59510b39da15a2d37e88706ed9d4545502a09cb82e82e4b36cb0170f957acdaee1331fb87b5fa7fa
-
Filesize
186KB
MD50730d054b9e665df59fcd0f4f8845f72
SHA1ef7bbf9868204465717ddbaffd27685f56b9ce01
SHA2569c570128f3ab5000bfc9f15516103221ddce99cdd2f3e23a293570778353f774
SHA512d14da7e99d002eb57d4bd8eb930c38f94c075b9705af293b27572d978284da49dd0987d4206fb94dffb76c7a7ec7a91feff9ba30d13d4b2c0f0957c4487a3d8d
-
Filesize
174B
MD5b032f9094a666454d2ec4e0379d384f5
SHA1bb2242f7c82cf43b24265ebd127abcfbbdb8f04f
SHA25635e7930ff50d14d595531ebe6baa6f6304898ff90151b0320da224e45fbb0cab
SHA51274646fd681bae7301cbf2268dcf6727187e68084813297f335a035433ce08f579098e38aa69e1823744342fe0313816b7d22fcfa9c8ab145e4eb05fdefca2424
-
Filesize
206B
MD570293277c3c8127a71cb4898ef8607e0
SHA1183b9108d4928922e9cc7de80bcc09e0879eaa21
SHA256e66ea5148541f0658e23497db37b905fd80d58fd8e88a1973761aaa3dc6ec20d
SHA512341748bea5cf4be2d68e644c8483240509e8478c094d709229a1a7c84801d8c6eda82f1eb2f7430843fe25d4e06c3f8d79f365e15f269d6dc0b103780d4f5422
-
Filesize
2.6MB
MD53536501d662bf382bab1aace8f3d3b01
SHA18566e77fdbce0631bf75fef8ceb075643873c879
SHA2569be5c8cbaea51dc9a273cb0ca8963210e21eb42b438763a3de72d8857ec5f3b8
SHA5128a0d12497954dad5dd92c085b8d9ef57e4cf6cf6b66b3a1c6e31c9a65eb1ed06c67ceacae931a51028aecb8f41146d63145a1732657d98c10ca43a2975159a01
-
Filesize
2.6MB
MD506549e39218ef7ca5692fd6f9cd0e522
SHA15c607d1be281f4a10d0d0a7984a1c6d148b5e410
SHA2562c3e89be0926c91909521a8dbe398957aaf9b857a99dfe79e7930d2aaf92f5f5
SHA512131562045462f5b27bdb1b871c6fabeee05b1fffc41b445409607c5617af8084c076717629b1ae45c5e250b8b23e864e45280d279cf3a0b37b62753df92eb1a2