3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7

General

Target

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
Size

4.0MB
MD5

0bc2a6be9c70c4b4a8c3a4e1c8b6fd58
SHA1

6d76ba30b6723ee6036470aea1d26d52edb3f2af
SHA256

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7
SHA512

f1eeeb2aa921ffe0b04f287c1c1e3aef4b59a191c4239629f3d32ad9917f29e72d99f9e78962536f65f8ef8c40bb663a8fc41758003816a0ea3d400bdb5f92b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

Executes dropped EXE 2 IoCs

Processes:

ecxopti.exeadobloc.exe

pid process

1408 ecxopti.exe
4876 adobloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1408	ecxopti.exe
4876	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBV\\adobloc.exe"	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUS\\dobaloc.exe"	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exeecxopti.exeadobloc.exe

pid	process
1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe
1408	ecxopti.exe
1408	ecxopti.exe
4876	adobloc.exe
4876	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	pid	process	target process
PID 1392 wrote to memory of 1408	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecxopti.exe
PID 1392 wrote to memory of 1408	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecxopti.exe
PID 1392 wrote to memory of 1408	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecxopti.exe
PID 1392 wrote to memory of 4876	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	adobloc.exe
PID 1392 wrote to memory of 4876	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	adobloc.exe
PID 1392 wrote to memory of 4876	1392	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	adobloc.exe

C:\Users\Admin\AppData\Local\Temp\3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
"C:\Users\Admin\AppData\Local\Temp\3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\FilesBV\adobloc.exe
C:\FilesBV\adobloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1424,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
1⤵
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBV\adobloc.exe
Filesize
2.4MB

MD5
88417268673d05db54c467f3ca48c5df

SHA1
204d5441d9230eb869c84d63076356b76cd3b1bb

SHA256
28b87b0c9149cb0c3b5177914028dad4bc6a10dbf96e1a22d5665e0e11a0afb0

SHA512
188fe2f2b513355fd484490bd9247b233dada03e622219a7b35ae5a3244b1ac71bd7a8da3ebb5b8f041bfae0edf7ba7fffcfff4ff8a42fad0ea26f41a87cd1f0

Download Submit
C:\FilesBV\adobloc.exe
Filesize
4.0MB

MD5
32d13747b6c5d1deadfc8a474fcc9720

SHA1
428b7f658e9e2ae34fb1fcd8f07ff6a4bd0e3b57

SHA256
078afe83a7c993d593ff52df08c4d7d0871af188d9bdf641a897e908bcc98fb7

SHA512
400591e65a54827cc7c3b3f869bcf4ef04863b2b516e78b9a5aca98d4fcb3a6ec324656214397f269530e50c863550a57329746b6ff6be37ef116355f15ba8c2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
199B

MD5
d82ec2b5c0491a2298ff1597336997d5

SHA1
16ba466f4ee09733c35703adf5b044568712661f

SHA256
77d0b4115fcb88ecf104ff7f991507234c0c59a3e490727408cf098db1b550a5

SHA512
3a18acf17d44a7ae8c2346b66a8ec60cd41282b5082f3c3f8aa3620c1bd0de76772d8b3d6be19905f047b5263e167c4f008900dc9ebebec1d0d4f54b91da6c08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
167B

MD5
f4821be3ee0ce4a1f554d037a44d65f0

SHA1
a29d891704413eb8927d394b0f2c811ae74e33b0

SHA256
6b02ac29c3f2b5213fb9ab582ef519d1029875cb26cb9eeed29a1822c704b375

SHA512
e2b4ef1ce75747ddfeb8d9c8e53c9e88f17125ef19c43a3636018f96bf7a56ac0791f7d4a7294d07105c789707d798cacbcc4f0926eb4e43259c84757ed9851f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
Filesize
4.0MB

MD5
1ec4b2a0474158acb5588bc1ef8ac180

SHA1
0aa34ea932fc5a6a19c1c328a1c06d190814cf85

SHA256
2d0d32b958df8f5c94e5c11cec874bb7db48cc9ba10b2e38be6ec3105cf7f6b1

SHA512
0da49be47f730c2f9380c07dd26cd5bd6c3c544996e7f448c94e0b345c2d7e19b73eab273599fdbfa343cbb069404517709ec2bf57665d92811e25ce443d164c

Download Submit
C:\VidUS\dobaloc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\VidUS\dobaloc.exe
Filesize
4.0MB

MD5
d5d452f7e4761b559c9376220bf8fe3a

SHA1
115db9fd602b0f4c0aae2a51543d88966c9de8ea

SHA256
d57db5061054ff287ce904d77335015df64cdd65fc949f19ea30b0c3b6c26e70

SHA512
846491e6a6426d9a2bb6846ef98ea605a505564388c52b170a29ce848af66825db58ee797cf0f0eca85477a75c21b42263c485967ce09910b1a2329a9c0be129

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads