1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
Size

3.1MB
MD5

31cab91b730e265033025e4a309695e0
SHA1

308b1965cdb522f8342ab9585d1cda5d084a8fd5
SHA256

1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e
SHA512

e82c2c61d81d5ae730fa965555a06146f67fd9b4a72c0ff529a683298b758b181b8a347ba18cdeff3a9556d6d2fcfc47e8bb7c5083982b09ce4988f3f8720160
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpYbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe

Executes dropped EXE 2 IoCs

pid	Process
3416	ecxdob.exe
1032	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYP\\devoptiec.exe"	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEQ\\dobxloc.exe"	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe
3416	ecxdob.exe
3416	ecxdob.exe
1032	devoptiec.exe
1032	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3416	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	85
PID 4532 wrote to memory of 3416	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	85
PID 4532 wrote to memory of 3416	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	85
PID 4532 wrote to memory of 1032	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	86
PID 4532 wrote to memory of 1032	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	86
PID 4532 wrote to memory of 1032	4532	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	86

C:\Users\Admin\AppData\Local\Temp\1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
"C:\Users\Admin\AppData\Local\Temp\1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\SysDrvYP\devoptiec.exe
  C:\SysDrvYP\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvYP\devoptiec.exe

Filesize
3.1MB

MD5
68e9d2ce9fa66f970635d3320fceef83

SHA1
c954368e8504a7f1de355a559154bacdefe796b3

SHA256
30195169ea985acdc799e7d7786b01fdd02f2685ca46efd6a5f700041f977446

SHA512
b4099954752fdb5de8682459544e313c94bcf9ae8f3989541d2fafebaaf5d44401eb1a08333bef678fd95679d501c03b6008c9d0af698b8db9c2bbce595d2169

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b0f8a677c081fd4a837e403a23f84c96

SHA1
40acf7a14a543a058b1a626beb96974ddbf7321a

SHA256
062981fd5485516e4d57b5b7d339423f26670040931749f7539540c811500add

SHA512
f1b26efa81e3c1df456085d4fd6852de02f84f4d95fb407f1e07586d29654ac755e96445868e23d8ac4192017e8924bd35b2306dc4c47c05b94b95638eacf5c6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
00ae5b32b563b89105abd9f689467e29

SHA1
118a57682ed19e32302a595fdd506a28ee0ea09e

SHA256
19eab9cc9e485515be769caf53760716e00c81a7822a3dd0688cad943e4c8ee3

SHA512
7a5d12369bb763106493e9540781cd275da0e66fdafadf8587b6ddc0235d90e19315f4d6b4bc5f954bb55a5e7f9c6f46218192a24c8be91867dd7d386e48dd89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.1MB

MD5
6c8d0cee5ff28182894415d85cc49772

SHA1
4209479a7beb092bcd6a80beb79d4d23c2437910

SHA256
797bf87a5a82e97b3c08b90091b3f191da5ab7c1a1d236c93f73231f2f8a45b2

SHA512
82a8f98d63b61198fe791e992a07b7b5c7466fd8012b3b3e7b8d4059fd45d892ea1012ba6847e23a27225b7eed8a8771c938bd77a4bbd81d9097eb7b5f132c5d

Download Submit
C:\VidEQ\dobxloc.exe

Filesize
20KB

MD5
586dc09d5804dc54d44fbabe2f70a2f5

SHA1
1b5a9a763950331479ac1c498b03264cda1e5e0e

SHA256
33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079

SHA512
54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a

Download Submit
C:\VidEQ\dobxloc.exe

Filesize
3.1MB

MD5
06ec0f37d7e8da2725744dff7a481735

SHA1
5d3d8db0b0dde80b5cd797543765ca2872c2e72b

SHA256
2ed9b68303ec3c176aecac163af1b5111792fab9f8d3204e909221b76d4b8596

SHA512
612b0d05dcb6b6aa9cb3ee69c981790ed336fe1a4c42ed9cc958d6437694c265e365bdfc0607c1e1b35a9e499ce9730e0d76e120dbb1a541ea5982cab80c1503

Download Submit