Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:55

General

  • Target

    ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe

  • Size

    3.1MB

  • MD5

    2410c92d917a12b2d18a6742a7d69a20

  • SHA1

    385ec8d713f39b691ff3a86559d07d3a04742347

  • SHA256

    ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5

  • SHA512

    dc5d6622aacc9bfe92f283df7df6e464145195713f62ec76d58964903ef75e1d36fe434e27f2a10b0725bf8580ad06d242b88ca79135d56bdf5cecaf16896181

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpabVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
    "C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2188
    • C:\SysDrv9C\xoptiec.exe
      C:\SysDrv9C\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2300

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrv9C\xoptiec.exe

          Filesize

          3.1MB

          MD5

          049267b57159ccf97113a437187f96d3

          SHA1

          480449ed37e4c26191b36b77f8e401a29886f29e

          SHA256

          97e3de9db29d1d446f07b93acd437b771d9178dbbb1ca3335bbe569b8dba9d57

          SHA512

          9a439c29a9c2a6d61839ee62b4ad8c577dc3bf08808bfc011e7277849d2580b99ef0b5744c92d29f18f6032419f5961e51edf54c9812ff9700c303ab25063188

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          3676060e78ee753d17f16f5d58bda5c5

          SHA1

          6a3010a8df700e890e8798e4688b29f0a292af3e

          SHA256

          65b267513c0fc92367c10e34c188679ff8f41e0b9e980d0e1683e2b83738c984

          SHA512

          931194f255fd16c370be1b3b5db121f138d7be58f53eb3c63ebe05bee41a685ba5ef11d2464c524e5cc2208364ea3c1279e0610597b0101ae41011795761fce3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          9bece9117abc8b1bada525ba833140df

          SHA1

          66d2e0f7b73432479c26cae097fcbfd9c7bb4392

          SHA256

          b0ff3d871f0f5b098ac682c06cfc84a689f91ca91a3ade6e46c473664405c953

          SHA512

          33fe43683bc17a6624ca522a8c466cfeda55ae4b1ac72be5e6d03056c5cfe0d4b5ba04b092ee451f61ef2b4187c9e2f4b4fdd0c0c7623149acca5b1e6b1142f3

        • C:\Vid1L\optixloc.exe

          Filesize

          3.1MB

          MD5

          6143060c46a9a5bca78137541bea11a4

          SHA1

          530d958f1df5c8050fda9b1982a47c481f018567

          SHA256

          76b290df97224fb698860c4396d6c8c777f334896e587002db9b2fe302967f9a

          SHA512

          48d328ae6bcc011860b3619034a19fffa3d63e79f0a1d580f658011e83507ad6bc8f4bc48234191ab394abbec7dfce58b0eb618f34cea60af1225ac77e33e6ed

        • C:\Vid1L\optixloc.exe

          Filesize

          3.1MB

          MD5

          80414626d65d29e426772e6ae7a758a4

          SHA1

          45b34b315dc9c425010f4c1607088f6ce2eaa7e8

          SHA256

          2d36c8fe9208da197ac92767901931c16c123e36b408628e728d54f0133e93f5

          SHA512

          d249875ce64528ee2030cd40ebf3a974292b79647319f4c08a694c19a03f115b72a48b120867a5a1a590ebf73286fffc3ef2113873e3dc9f8afbfe1b6a03f7e6

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          3.1MB

          MD5

          d986cc24e63cd102dfaea8eea0f1c83f

          SHA1

          71635511797a3bf55b529a09a68e700dddb88be9

          SHA256

          6eecd8b1bdf6e7fafed7da62df74e401de31e4d51de3c2832b8e010a4aef9d3c

          SHA512

          ebf491aab2e68d82a6f58adac544840e9ee525f31a45cc0d51ab8f8235769943ba97cfdf45605622d6cf0c63d8bdadeb40a3b4929c21d41956a61b07c3c5567f