0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
Size

3.1MB
MD5

34450bec792501ad136e35a466971577
SHA1

453571b7655d396e994ed37f1ca9e56b01bed423
SHA256

0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5
SHA512

301eaf1de734c7b14aae122aef8ae6078795ae0e844ffe72e6266009cdc8bcee4afdf070cd6abb7d1a24a3735de12ad42f5ca052eee7f8111f595a14ceede3fa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpIbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	ecxbod.exe
2000	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDR\\adobec.exe"	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLR\\optidevloc.exe"	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe
2752	ecxbod.exe
2000	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2752	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	28
PID 1600 wrote to memory of 2752	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	28
PID 1600 wrote to memory of 2752	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	28
PID 1600 wrote to memory of 2752	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	28
PID 1600 wrote to memory of 2000	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	29
PID 1600 wrote to memory of 2000	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	29
PID 1600 wrote to memory of 2000	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	29
PID 1600 wrote to memory of 2000	1600	0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe	29

C:\Users\Admin\AppData\Local\Temp\0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe
"C:\Users\Admin\AppData\Local\Temp\0cd73bee30519d106d78e480e70d373f2b174cf9876f1ebc065e6fcc73ef2fb5.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\SysDrvDR\adobec.exe
  C:\SysDrvDR\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintLR\optidevloc.exe

Filesize
3.1MB

MD5
a73045d34c9673865a7f452228ed9c09

SHA1
03f843b19725724c1ab4dbdd136fdda1cf944aea

SHA256
ae099e41a6b3c611ece4e4e53d1ea9c477eccddb5c5900627a05aba3e47f578c

SHA512
7c54f7434889ef997528fa14ad219a550d92b39ead62f0840020ef686c0716d5446ecf337afa962b4a7103acd3fa8a9c5a620b75f99a2959fb8c74487e9c9f7b

Download Submit
C:\MintLR\optidevloc.exe

Filesize
186KB

MD5
e1497a96257006caa28d9c50361ca0e9

SHA1
c6a9707192a47a7b8dc5e3daaba59fde6d853689

SHA256
e864959d0aac81ac1a02f0a0749d0cfd71b8e006a6789819f72c649aac78ed48

SHA512
893c8a4e110b9cb3efc35368f90b57e7ee2b9dd7f132d787dcd3ca537bd6d794b545606eb662142e26aa7211cf94614611da746c2797fcd90ff2ea5bd6aaf177

Download Submit
C:\SysDrvDR\adobec.exe

Filesize
3.1MB

MD5
9bc3eeaeb7b67e4187488f2fcc9212d2

SHA1
1ebbb28ae175e96a28b05db49e730856395d57ff

SHA256
38b9f9ee481e5e2340daf41a7e6574173695311fc2b6ffac5a48daf222438641

SHA512
a71ed2447c513fed139df85294988642915cdf83e4e5d4f017870921c16f196b01785feb1cf680b6803238410229224fe7841cde2e1c2be062b79018d9cd2667

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
ae96dc4a9fbdba3fe7803621651e112e

SHA1
63fe599f2a86ae18e62e2f1f3e7cfb6494cc77e5

SHA256
85837d480495c27b9fa54c9c54aa60250174a17785ad25c99ee9e2b8ea28c535

SHA512
5d2c64dc53c032d0eab6cb3ecd192a6aa4bfd9ff7ef0df571f2dfd88ebbdc7fe6d88847fd87d345bfb5e1a4f855f17a6be0c0313b46ffab2355c5a5b8c92b309

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
e8cf51d8cb2dd5c194ffb2de476c9015

SHA1
cb1e1e3568b72f520088e0fec6bc288a7ec68941

SHA256
57597f2b4894a0fdc53fbb837605885a8a2ae9185c3a9723f8651c7b84ef092c

SHA512
82fd30470abd56a74f8356e9050560139e0c10b48985b1c985f047d69b3ec3a05c1d8ced9b47161570a83d727658842cd0ffb9accff4b9bbf4e9d18b1857e9b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.1MB

MD5
aafd840940eab8032dcb149d0bda8523

SHA1
fcf7353e31d160455ac9fca74fbf98e7c225964f

SHA256
b19a10c8e6bd33ca9299eccbe73ea2c09f6c862857170918be82221781d49aae

SHA512
b9ba8fb162801ce9bfcdeca79f2a3d960dc66f72d0e7cb54e2d5e6350b49fb41e834da7f0c1388ba79162d6893c03bed4aec06cdab973cb4b9110cceb1a544bd

Download Submit