7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
Size

2.7MB
MD5

34f1cf40e5092db56f1c4563766da5ac
SHA1

0759ea0b3ab441f9dbad7c59d7f0f58a32f38fd6
SHA256

7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342
SHA512

18da13735c3c978aece4555dc49e62a09a5be2ecef665943ffb76b47d1a0251a37c5815a88a278c30fd9617aa413fdc891600aa79269dfa84d49830b5997417a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSq:sxX7QnxrloE5dpUp1bV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	ecxopti.exe
2256	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNL\\devdobec.exe"	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTO\\dobaec.exe"	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe
2192	ecxopti.exe
2256	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2192	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	28
PID 2412 wrote to memory of 2192	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	28
PID 2412 wrote to memory of 2192	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	28
PID 2412 wrote to memory of 2192	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	28
PID 2412 wrote to memory of 2256	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	29
PID 2412 wrote to memory of 2256	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	29
PID 2412 wrote to memory of 2256	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	29
PID 2412 wrote to memory of 2256	2412	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	29

C:\Users\Admin\AppData\Local\Temp\7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
"C:\Users\Admin\AppData\Local\Temp\7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\AdobeNL\devdobec.exe
  C:\AdobeNL\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNL\devdobec.exe

Filesize
2.7MB

MD5
5585bca2f066a09b580f36c69e598549

SHA1
eb38e22c7354449d7d17c2632e5c71db0a7d9ada

SHA256
7e27676f595d5b0f3bacbe774c3177a9837ddff27a6186a44002ba31628af0e2

SHA512
90efa871cb46e1e36a5414a5625a9e8909a91a2191193f9f9b36005e3bc3946af9a3f2711e86784c02fee3b25197c39dd36ad7f6ea3ea83c2e0d683a977c960c

Download Submit
C:\KaVBTO\dobaec.exe

Filesize
2.7MB

MD5
6a66684961e137b445dfb22c7a9d5d93

SHA1
4bde8899ca1c5730281e47f484f9c21325f76774

SHA256
7d10874e17e59e4b953c559b39ef1d7eb55d47b9855527eb775691de786b97cf

SHA512
a9193864843bdc57cd96f802ae52efae2ea01552123d0b20c16be09dd5ab0fe2e676684053c8988d8b93d8fb8516e7b4653a2bb529fa13c924e2982d11dfa12b

Download Submit
C:\KaVBTO\dobaec.exe

Filesize
2.7MB

MD5
53071b407bb2286de4d6c6ce82a904b2

SHA1
7bfdcc439db5c396f0227194b9048ea5254f8b94

SHA256
2371671b06571832adacbca43b672bcbddbbacfd1bcc33945478961c7a497262

SHA512
7547104cc35962bb69429072eb23d1f77f359d49fc3e79191ac11cfe3cdd0be0d10c91f87269c5a5218895de3cf7b548bac5feae6ff5f5244706646dd07d299d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
f48ed8ca53b4910a3ac74d879b6722a5

SHA1
d1bf9db39d946bba9f11e4975d764fdb4010dce5

SHA256
5d161c3a1350b90f0aeb30ddd7e3844e83c547acfb6ad04d053c35181861200b

SHA512
cc7269285cc16bd5e15d9f99d81ff24ed604596816b2f066dbe541b729bcb22af6a822fb1590364ecb44b5e3d938bb9d80391f19de29658bb65f88a87f4a2490

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
db762784a7409e2d6fe19cafe3eb6e00

SHA1
e7a81295316ea6bf0a825ff3029142ff4e0d36eb

SHA256
b334d90e8f6db816bc96f44ea671bf6a2326ed3271cc432660310a9ca69a19b5

SHA512
6ebd122cbfd1565c62b8234a093c39f02b35512ecd2255b7b75a594f90b67a8a4a43030e739cafadb714141415d69dd7efcd75d2f872796905b868567915e61e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.7MB

MD5
e8ef503c11a7bd5b03d09f44e2b5fea2

SHA1
b6cd8211574da4042df287a124955fe484860253

SHA256
0a5f82325a3b90b53c5acf33f5de2b9927c3fb7259c40534c59f3b11b6efbbca

SHA512
64fe7e9a1d1fa1bc0263a4b5e9b693d70b19f8442a56e177260e1a4ab8e3857bd9c513927e852f403726489185d321c5c007508279e9dd3659611e3763092128

Download Submit