4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
Size

4.1MB
MD5

88ff053add827f525cb99740b26cc056
SHA1

da9f98795713cb42c7ff68b112de863cd9e3b6f4
SHA256

4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94
SHA512

bff162de8ca248b3ced9c0387ff31fd71a1328d7bae74ab2d1248d8269f224822058e4cfa96898b79848df04306e0661ff1436e5a91af142d291c12c90e50e29
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	ecxdob.exe
1620	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeW7\\xoptiloc.exe"	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZTI\\dobxsys.exe"	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe
2652	ecxdob.exe
1620	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2652	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	28
PID 2180 wrote to memory of 2652	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	28
PID 2180 wrote to memory of 2652	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	28
PID 2180 wrote to memory of 2652	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	28
PID 2180 wrote to memory of 1620	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	29
PID 2180 wrote to memory of 1620	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	29
PID 2180 wrote to memory of 1620	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	29
PID 2180 wrote to memory of 1620	2180	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	29

C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
"C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\AdobeW7\xoptiloc.exe
  C:\AdobeW7\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeW7\xoptiloc.exe

Filesize
29KB

MD5
c2b58e7bd0d9d36929797d78aa1d3e51

SHA1
8fc011635fc3980b8429b2956954a84ef4f62f48

SHA256
d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c

SHA512
78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0

Download Submit
C:\LabZTI\dobxsys.exe

Filesize
15KB

MD5
62f17a18e2665228331086e6e938bfcc

SHA1
8e2aada25ef3eee33045d7c08ce27d04adfb7da4

SHA256
1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385

SHA512
0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3

Download Submit
C:\LabZTI\dobxsys.exe

Filesize
4.1MB

MD5
0b5e47d160f4f8c442525bc38ad08cb9

SHA1
5e3f4e2b766f79e04a3833af4e3eeeecd153ea8d

SHA256
434719fe6980220acebba5aef601d7957e0b27fe776495a41e72936b96d564c3

SHA512
ccf004324feaaba5d4c84cf96298100275a32113fe0fce7851a1d106af75d3404913f67cea5d95b6cedf15bac11e7b81504e98d2182b46ed28c7753f4edbec4b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
e55b80a88e77e986deaafdf6c98ed3ac

SHA1
7c0fe97a70c38ad2c28d0560e215dd230f58bcfd

SHA256
210b40035526568956d862ccf7a98eeb84dad6ac307440bb3c0115a5295a091b

SHA512
332ec6c6042068ac3b0e526154251fea941bcf13046fa8624b3ac5d19078c4c4a8a7bc73756868403b56c1beb2a875d1f47715c590afc4abd661d0da7d25f7ea

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
e58834da36b77dfbd101410e98f10572

SHA1
64468ad2e7b02ca0c30acbed5b1490e0a00d2829

SHA256
79b33e1ede8245b0f97dcba01af1a91f89267badc171e3032d9b284b7f7a0eec

SHA512
529f6dd864a9d5b2bd5bfd2403e41b2165ceaf97dadb32ea8b93b05824d34a69715f7878ad60b7eb5088452548af67672ffb541cb8373ae43b133aef7373fc2d

Download Submit
\AdobeW7\xoptiloc.exe

Filesize
4.1MB

MD5
0f9398f6279e19a0db1b90a470abc98e

SHA1
ac2709c85992c339e43bde9f4dec6f0315e8d8d3

SHA256
7efc0ec6f369ebdcb46be998e0207d3475e539298c07dd50b42928790c188908

SHA512
6d8fad7f8c94adf8d92ca47b0be0c3547204894c25e43739fcb8551feaddf1cfd5e0d95774299579568e0bb67e1f641ecb5413b8ed91ae884b6bebe99d98dec4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.1MB

MD5
408df2326490f484b2c8e7fad73dcbc4

SHA1
4821dbf490a019006efede9c1f5277ff7c863ba1

SHA256
84c982b2f3c5e69771ce5bdfdbf99a89cf4c5e664525adba737dba99d4d15c92

SHA512
aa6c38b8e7899b3e6dbf62f95ec4467553b9c467a0e4840ff97f6feca0f8dd462c7c5b5d598d89578660a9fe672142aacb4d60e651a402eb3e4ca54752e7b500

Download Submit