2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
Size

4.0MB
MD5

0253ba9d4250a6a74af36fd975426248
SHA1

43cd392253fcb49c97149e304fccac6a0c81d915
SHA256

2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292
SHA512

8349bcdd32671c557d8151f29f8d001e13d0122cbf6c390406c0068894ea16ce2af0da6da22750c7c6d94a8f00e9b8edbbeadad2703af1c167ef5868b6bf44ea
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp4bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	ecxbod.exe
1396	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRP\\devoptisys.exe"	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHQ\\optixloc.exe"	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe
2196	ecxbod.exe
1396	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2196	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	28
PID 2240 wrote to memory of 2196	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	28
PID 2240 wrote to memory of 2196	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	28
PID 2240 wrote to memory of 2196	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	28
PID 2240 wrote to memory of 1396	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	29
PID 2240 wrote to memory of 1396	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	29
PID 2240 wrote to memory of 1396	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	29
PID 2240 wrote to memory of 1396	2240	2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe	29

C:\Users\Admin\AppData\Local\Temp\2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe
"C:\Users\Admin\AppData\Local\Temp\2c1ecf3cf815fcf23ba8778b0d20b97a26bb538680e35c28915156e99e3db292.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\AdobeRP\devoptisys.exe
  C:\AdobeRP\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeRP\devoptisys.exe

Filesize
4.0MB

MD5
679fe7b4eeec0c3246363aafb8bde592

SHA1
ef8b367d6c4c61e79bc5c03cdcd756891a99804f

SHA256
7b7797872afe8ed802a5053b161fbb0383c585fb357328d8cd0d814a278fe272

SHA512
f937aece4d6be273c7ff2e0ec7894b16d3c9a7d47dd6711832768e9641090b7e437a383e499a3189b22fee1a5ee9e3aac5cd2df946315d2d122c26a2e3aeffc5

Download Submit
C:\GalaxHQ\optixloc.exe

Filesize
2.3MB

MD5
68670fd26bba417d3fcfa244eeb0cd46

SHA1
d3615dbb26d81ecb5d39ec43cd18dfb9d5d938f4

SHA256
4d7a3fbda5b455a064b773f06e967177e9b06926828a2501f87ca0e6b7b9ea4d

SHA512
2e13d7cbc314516c5afb074b0b2185dbfaecf68b4fd9b655cefdfd44943a6a4db74ead91cb8761682ce56be0123be2f6e7efa8b009b7c37493b900fe8f7d3d53

Download Submit
C:\GalaxHQ\optixloc.exe

Filesize
4.0MB

MD5
be780c9e72df9963f864ba59718d4106

SHA1
c7cb36bfdeee2ad759f7376aff90b9db7a4c8a79

SHA256
b6b4569bf7b741338ae824c5dab78fd57e0dda2c2da72ad9fca29533754fc54e

SHA512
5f78304c64b90e6fe5b93c9f8fde07c75b22a581c716fbf4da5336fa0570a331df420757a1e4b7f1414ee32ecce9dac85c3b819a102fff51c8cd5b5f69ad67d0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
c8b7876f59e3119cd28f1fea29078175

SHA1
a7eafe7579f5fd3a5c0fa4f7a282855412868671

SHA256
f0990eb8c9641b775414e278a65fa8bf1898239d1808feef00a8fb2f9ab7cf23

SHA512
bda1cced36b9d7980aa5ad15ab3cadf9814fb194baf53354c21d1f0102d1f5eaef14ccc3efb99168e732756369db238f2ac02f13ee52671b366607e491f2f08c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
ee55dde3ca708ef848d64b27437e69bd

SHA1
eda7447694f6c248e8d3208019eecfa48e34f510

SHA256
cd1667afe3b912a21d5de304a17d6acaea339771c077971eeb5f8b9e0bea8b72

SHA512
3d5a5f600cf63f0c68c04aa56ca5fbed8a96c7943019132743d8e4fcab4007ba5e6e24ffb342ed6050bfd9333af552c3401ce8e82d5c2591078ef772f4cea75a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
4.0MB

MD5
21c5dc93a4734e2121677f0d82f69080

SHA1
c1a441b7737b55cff4072cc18114e63f63a4dd20

SHA256
99519d596c3e3dd60f6a119d5e41b410f0c6f33fd732a2b206a40c141d3810e7

SHA512
77fb4608a0fa4bad4ff7f9951ab57f9c94113f4d8b62b802fd2f0e803b390b5a159879103c0a050cef2b02c824d3aa4fdea8aef4d5644626412936fd4ed49c4c

Download Submit