Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:55
Static task
static1
Behavioral task
behavioral1
Sample
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
Resource
win10v2004-20241007-en
General
-
Target
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
-
Size
3.1MB
-
MD5
2410c92d917a12b2d18a6742a7d69a20
-
SHA1
385ec8d713f39b691ff3a86559d07d3a04742347
-
SHA256
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5
-
SHA512
dc5d6622aacc9bfe92f283df7df6e464145195713f62ec76d58964903ef75e1d36fe434e27f2a10b0725bf8580ad06d242b88ca79135d56bdf5cecaf16896181
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpabVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe -
Executes dropped EXE 2 IoCs
pid Process 2188 ecdevbod.exe 2300 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9C\\xoptiec.exe" ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1L\\optixloc.exe" ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe 2188 ecdevbod.exe 2300 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2188 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 28 PID 1860 wrote to memory of 2188 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 28 PID 1860 wrote to memory of 2188 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 28 PID 1860 wrote to memory of 2188 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 28 PID 1860 wrote to memory of 2300 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 29 PID 1860 wrote to memory of 2300 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 29 PID 1860 wrote to memory of 2300 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 29 PID 1860 wrote to memory of 2300 1860 ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
C:\SysDrv9C\xoptiec.exeC:\SysDrv9C\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5049267b57159ccf97113a437187f96d3
SHA1480449ed37e4c26191b36b77f8e401a29886f29e
SHA25697e3de9db29d1d446f07b93acd437b771d9178dbbb1ca3335bbe569b8dba9d57
SHA5129a439c29a9c2a6d61839ee62b4ad8c577dc3bf08808bfc011e7277849d2580b99ef0b5744c92d29f18f6032419f5961e51edf54c9812ff9700c303ab25063188
-
Filesize
170B
MD53676060e78ee753d17f16f5d58bda5c5
SHA16a3010a8df700e890e8798e4688b29f0a292af3e
SHA25665b267513c0fc92367c10e34c188679ff8f41e0b9e980d0e1683e2b83738c984
SHA512931194f255fd16c370be1b3b5db121f138d7be58f53eb3c63ebe05bee41a685ba5ef11d2464c524e5cc2208364ea3c1279e0610597b0101ae41011795761fce3
-
Filesize
202B
MD59bece9117abc8b1bada525ba833140df
SHA166d2e0f7b73432479c26cae097fcbfd9c7bb4392
SHA256b0ff3d871f0f5b098ac682c06cfc84a689f91ca91a3ade6e46c473664405c953
SHA51233fe43683bc17a6624ca522a8c466cfeda55ae4b1ac72be5e6d03056c5cfe0d4b5ba04b092ee451f61ef2b4187c9e2f4b4fdd0c0c7623149acca5b1e6b1142f3
-
Filesize
3.1MB
MD56143060c46a9a5bca78137541bea11a4
SHA1530d958f1df5c8050fda9b1982a47c481f018567
SHA25676b290df97224fb698860c4396d6c8c777f334896e587002db9b2fe302967f9a
SHA51248d328ae6bcc011860b3619034a19fffa3d63e79f0a1d580f658011e83507ad6bc8f4bc48234191ab394abbec7dfce58b0eb618f34cea60af1225ac77e33e6ed
-
Filesize
3.1MB
MD580414626d65d29e426772e6ae7a758a4
SHA145b34b315dc9c425010f4c1607088f6ce2eaa7e8
SHA2562d36c8fe9208da197ac92767901931c16c123e36b408628e728d54f0133e93f5
SHA512d249875ce64528ee2030cd40ebf3a974292b79647319f4c08a694c19a03f115b72a48b120867a5a1a590ebf73286fffc3ef2113873e3dc9f8afbfe1b6a03f7e6
-
Filesize
3.1MB
MD5d986cc24e63cd102dfaea8eea0f1c83f
SHA171635511797a3bf55b529a09a68e700dddb88be9
SHA2566eecd8b1bdf6e7fafed7da62df74e401de31e4d51de3c2832b8e010a4aef9d3c
SHA512ebf491aab2e68d82a6f58adac544840e9ee525f31a45cc0d51ab8f8235769943ba97cfdf45605622d6cf0c63d8bdadeb40a3b4929c21d41956a61b07c3c5567f