22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
Size

3.9MB
MD5

0c045e57d9154f6269f04de28356220f
SHA1

f22c1dd3ceeefabd3f55f9f575954537c1b28b07
SHA256

22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8
SHA512

ce6c5ead8f9d8325f72724bf78d2725504de6cbe338acf1e574a86a3575f2c15ea092273d468a2367a5351e143e4fea8d3395c383a38d90019fb8d3138b6dd55
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpubVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	ecxbod.exe
2812	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRP\\devoptisys.exe"	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHQ\\optixloc.exe"	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe
2796	ecxbod.exe
2812	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2796	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	28
PID 2296 wrote to memory of 2796	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	28
PID 2296 wrote to memory of 2796	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	28
PID 2296 wrote to memory of 2796	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	28
PID 2296 wrote to memory of 2812	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	29
PID 2296 wrote to memory of 2812	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	29
PID 2296 wrote to memory of 2812	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	29
PID 2296 wrote to memory of 2812	2296	22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe	29

C:\Users\Admin\AppData\Local\Temp\22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe
"C:\Users\Admin\AppData\Local\Temp\22c812c53fc5f9f7ab09fd5358518ac35cb92ff7e03ddd51f032c78a25098be8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\AdobeRP\devoptisys.exe
  C:\AdobeRP\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeRP\devoptisys.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\GalaxHQ\optixloc.exe

Filesize
3.9MB

MD5
3513fd547c99bf32703f7afb07ca6e33

SHA1
3769e853ed89ad36ab049152b91b1824c9a3a228

SHA256
57218852deb1e07d48fa672637088e218a1fbd6489e7206dd2e76cabd75f7318

SHA512
345cf319d379ba01b4e987ef8f0fc123861c789a20a123858dd9ac73aeee73c7d064e36b38a89498b8681b55831a0f4548738e1d8672a65a1b3b28f89ec873e7

Download Submit
C:\GalaxHQ\optixloc.exe

Filesize
3.9MB

MD5
97d3dd19556041f4de828f54c6f83084

SHA1
775b6aedd971261b509a678aca40857fa82bceee

SHA256
6fdcd3b057e3905e3b7a2d2b9ec7f3b2cc93594d71468ef11f277777d1656ad0

SHA512
80c8cfb99c501beae45ce9f35fd7a30c7f0e525a9c90ce1a78a7c3185959eba58a018c0ec7dff7ae4ccd05cc6ccacbeed714f1a2ada2aa34db9d4457a093703f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
c8b7876f59e3119cd28f1fea29078175

SHA1
a7eafe7579f5fd3a5c0fa4f7a282855412868671

SHA256
f0990eb8c9641b775414e278a65fa8bf1898239d1808feef00a8fb2f9ab7cf23

SHA512
bda1cced36b9d7980aa5ad15ab3cadf9814fb194baf53354c21d1f0102d1f5eaef14ccc3efb99168e732756369db238f2ac02f13ee52671b366607e491f2f08c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
ee55dde3ca708ef848d64b27437e69bd

SHA1
eda7447694f6c248e8d3208019eecfa48e34f510

SHA256
cd1667afe3b912a21d5de304a17d6acaea339771c077971eeb5f8b9e0bea8b72

SHA512
3d5a5f600cf63f0c68c04aa56ca5fbed8a96c7943019132743d8e4fcab4007ba5e6e24ffb342ed6050bfd9333af552c3401ce8e82d5c2591078ef772f4cea75a

Download Submit
\AdobeRP\devoptisys.exe

Filesize
3.9MB

MD5
b05f78e5d30521237c0f2e2a595a996d

SHA1
54483d3ecaa07d261844db1b4a3f1e2c7c387118

SHA256
b834d14296fcb1275858698b9fba955192f8a7110f5a5b3074ae6e164359f9f7

SHA512
e8af294b0b2047f9b95408cf976d084a65fc7418c09913f075d2e0c26d9fa7aa0ceb8eb7c2a263806aebd8e2585719e17bdc265b048d0eca16a86c166eb567c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.9MB

MD5
96b583c0b11d4f81f389e81fe276382e

SHA1
d5d53e2adb5ab59f0bfc6b1b53f0f3b3a4b8dfb5

SHA256
26b696292b9e326b5da70d11b8ace72b2ce2977f1d4714af34dfea4a49a34f53

SHA512
365e2a8b2ac1d18276c388de331c86dccb0661569800692765c82e133858d14d5c1f60e89aed98e24bdbe59ea726f65f3bb49b6fc5d9c4265c1917cde0111d22

Download Submit