9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
Size

4.1MB
MD5

1be3de6b4bb06f6cc60f1c731bb4342d
SHA1

d7e35709ddff66b214bfbaa29730b4b56b099ac9
SHA256

9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1
SHA512

f1a6cd72e0b221cfa5f82f2ae4b00d3779b223ed0daca884498ecd9cd885f9832d88f0a9fec53e1962edbff048442a6fec3a52350ab972017d4ee42059c0a155
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpFbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	ecdevbod.exe
4896	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLT\\xoptiloc.exe"	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2H\\dobxec.exe"	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe
2072	ecdevbod.exe
2072	ecdevbod.exe
4896	xoptiloc.exe
4896	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2072	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	88
PID 1520 wrote to memory of 2072	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	88
PID 1520 wrote to memory of 2072	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	88
PID 1520 wrote to memory of 4896	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	90
PID 1520 wrote to memory of 4896	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	90
PID 1520 wrote to memory of 4896	1520	9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe	90

C:\Users\Admin\AppData\Local\Temp\9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe
"C:\Users\Admin\AppData\Local\Temp\9f16445aaa1bb7ba8417541e1684af5a7beeedd4607ea1fbd9c0fa3ea195faf1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\FilesLT\xoptiloc.exe
  C:\FilesLT\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLT\xoptiloc.exe

Filesize
4.1MB

MD5
3e6ec6d5726d54f92f112e6f54a631a8

SHA1
d07425f5bf35dedfb883450207aaccd249c4f891

SHA256
c4c7aaf9657893839f4b06443b10af4ba24afcb489bdbce4801556c3c21f8baa

SHA512
9c844d7487e31065bd024ab438db772eee7d706989fdb6f98ec93778b9cabf2d60098be48bd855544e074be02c34a35c8ecb584e2513d79d171236a00d0eea14

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
69eb9163803656414833deee6e650c7b

SHA1
890f0a4fa4ea8df113ac5eafe25dfb3f470b6a51

SHA256
f6bb1ea2b7e5fa25e045bac820e10b4f01dab5ddcdb8c6b6ec000718d0d62b6e

SHA512
fa584b844e1f5a43468b5dc63d397f32e2644138032c84d8665561069e458b9baf3c30548cf75f3cb6581bd1fcbfbbb208254e5b6d91ef0d7f149abfb70ec866

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
3f272ab3bb7bd082158767cbc135d0e2

SHA1
5caebcce6d245d9591c8ff9a7c07b9694ef63962

SHA256
c684ce6536ecc222d0cdfa9c8956152472cd59f2996f67408f0ff224bf0db6d5

SHA512
8b51658f402f0a46f47fd4dd311ad3fa1f9fa8a6f6692d2da7b223a8624e81dc658d6a5fd2b7bb887a43fa8f0369b77cdb7e97f87a94239a6cc31c0f21eb10ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
4.1MB

MD5
1a8517c673658380f0acc47e8660e747

SHA1
2fca6cac530bffca1b913e5c7772d36d571cea83

SHA256
1ed00e3dd508b5e1888f4cade419e032fc4f2f3739b30a9e215c5b4202412f95

SHA512
847a648d6c1835b3675f405284c3bc935340407894cc68fc8dff684a53a8be05c607f92a9bffeb997817479464d2dcb4de9dacb852e60b4043ae4b3b0c730957

Download Submit
C:\Vid2H\dobxec.exe

Filesize
2.3MB

MD5
995585de0c03624f843f3f56f810b5f5

SHA1
129ee65d2f689b28cfd76e178aadfc6f13103ed1

SHA256
d602807f821dd0f3f1c4eb5612c5f8dde679d2f102325bc9168ca31f1bb94697

SHA512
20b8db60ea0bd9c0eb263b0ecf874891b6b24cf54ed6030c40c67caf2b0a4b6553be7a76cd1a84aba6d63d6f5b253df3882ba024707c944d052c3812e8e29015

Download Submit
C:\Vid2H\dobxec.exe

Filesize
4.1MB

MD5
e19e90ee78dafaa2df47c9a7f135b50a

SHA1
85909ac37e22255073ac1a3d571d89aad25b4945

SHA256
9827508da61517d020365eb69401dce3a408bf75dcbeaca21376228f16bcd462

SHA512
909457bd18d8e1f3579a94a533586bee53dbc224f7766834c9a86f75abd9bbaf132b73b00ef1e726be15a37b9d0caf23af5ee55c2b32e5c329b18e9456bb073c

Download Submit