75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
Size

3.9MB
MD5

19595d1c2d71ff44594665db0d33c91a
SHA1

cf09952199be72ca3a85ce1de09ae30de6f37ef7
SHA256

75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979
SHA512

a4d1a4717aca33a621a1e9f693e02bb68361d042bb47757428a6f9faa4f2db78b169dc916f92c958141fa0f105f83ecb039085f3580adeda4beee7184b16575a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	ecadob.exe
2616	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1U\\devoptisys.exe"	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIB\\dobxsys.exe"	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe
2740	ecadob.exe
2616	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2740	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	28
PID 2916 wrote to memory of 2740	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	28
PID 2916 wrote to memory of 2740	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	28
PID 2916 wrote to memory of 2740	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	28
PID 2916 wrote to memory of 2616	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	29
PID 2916 wrote to memory of 2616	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	29
PID 2916 wrote to memory of 2616	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	29
PID 2916 wrote to memory of 2616	2916	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	29

C:\Users\Admin\AppData\Local\Temp\75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
"C:\Users\Admin\AppData\Local\Temp\75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Intelproc1U\devoptisys.exe
  C:\Intelproc1U\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIB\dobxsys.exe

Filesize
3.9MB

MD5
12a2e3709182778778cbd26dc0e08638

SHA1
b0ff94fa0b23fcd62cb87db3ae07b88b7066b60c

SHA256
fc9c96896255f16333bf98221dfb93b20604b246848ca9cece66eb4897d01ebc

SHA512
e9a365cffd760e91d0259915a0ee040aa43a3aa5fe39efbf6b289953edc5ee231cddf5d410c864b9a6476e9c2a606757542f696badf9326513dc4f9e582c85c9

Download Submit
C:\Intelproc1U\devoptisys.exe

Filesize
3.9MB

MD5
04f8ce74736d26f2d33c5e67cb4b9b30

SHA1
7389789ba41b1ba9c665ed08460bc98200762987

SHA256
53b7d347a523e4a05c13d0d7dea653e8dca7e600ce2c02104a9ebd20502860e1

SHA512
4eebd7df9d6e8e682736c05f8c0a41739909d8b458733ec73388d1435d35f2d603243f6413e8cb71a85235d4984c3362a191839f8418390fe6661af35fc499c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
ad5b9307f4ffaf1cc05fdd4cdca9f94f

SHA1
a6017b267bba62b991285bab2d2711b8278ba48e

SHA256
f46a69f74cb33245ebb4191acbdc1b1dd511894ffdabe54c3c3adec5d8363c5a

SHA512
a374bd2306e284c0fc5c25302c8b2212d165f5e488f2af3178f9e576cc777ab8fab7b6be34b55e270138996551fb1e2e17be311191071923120ff0e7f108c08c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
d7e8d0d12efde6232e2092457ed450b7

SHA1
f73b937d926e88ddbdc563d4ee11eda7601b236b

SHA256
1582cea6333a89e208a7d366feb67a405335ccb8bcb78e0864a9d94c9728047f

SHA512
8b0566ada7bbd4fe74d97d994b447ed9791ccb205a3665dc75f3b33cb1ce7a2c3d51e3a8d38b6f4875e6f8c6f7d85b99db250990891d0b8c91d29bb45fe39051

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.9MB

MD5
1a762fc192ab0934165b71971e53b977

SHA1
ac9ae2cec59d379ba94b9a26d89b5d87823b091b

SHA256
f43ef69c0f2f1e135a226d3474012422f1db29d6c2639357a2d067a94b395a9c

SHA512
c8be80431a4d16a9fd01eaf874f33f4b089ac263e56381c41d6d513e1797533b5ba467d488ad3a3b4a4f1b1a652c946e88586663fb6a515573944ea843e3090c

Download Submit