1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
Size

2.6MB
MD5

e870a9cb2ba5ff1c9133ed611e485d03
SHA1

e0e4fa2c893186f83c7161264d05d8ae3fd99b51
SHA256

1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27
SHA512

debd728eb6f364f1fd398713ef9c78d0a44034d5d02fcc148fb21b35b12a0def327e3a677534ed15ac0cdf9994d008efae23a9af939bd32ee595151cd1e5c18b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	ecxdob.exe
2640	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc82\\devoptiec.exe"	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8E\\optidevec.exe"	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe
2520	ecxdob.exe
2640	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2520	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	28
PID 2748 wrote to memory of 2520	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	28
PID 2748 wrote to memory of 2520	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	28
PID 2748 wrote to memory of 2520	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	28
PID 2748 wrote to memory of 2640	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	29
PID 2748 wrote to memory of 2640	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	29
PID 2748 wrote to memory of 2640	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	29
PID 2748 wrote to memory of 2640	2748	1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe	29

C:\Users\Admin\AppData\Local\Temp\1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe
"C:\Users\Admin\AppData\Local\Temp\1c7d1efcf22f3244834a6b9cc5b281a9ba99c5e2ac6b8718599807d3cd363a27.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Intelproc82\devoptiec.exe
  C:\Intelproc82\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8E\optidevec.exe

Filesize
16KB

MD5
22982414cd28f7bd963c7390fe332005

SHA1
b9780689fc2f225a5f207b3a0f2533dc5e381874

SHA256
b3c258b288b3f2ef33c6a362503e599b349febb9a0f7fab4311ba488dbb1b44a

SHA512
905aa5b5e80fa41f962d0a01ee4b2a54155d0ff7e92d1533813efa64cc4ff3ad1cdf63ac6a1e689b0a4b44c659ec4760631e0162fda9ab3741cdf0b0bfcd0cb2

Download Submit
C:\Galax8E\optidevec.exe

Filesize
434KB

MD5
adb51f1a26ba5d0f203bb03c77837ab7

SHA1
ef375238df7e4f7b0bfc2ea061202df2a0781337

SHA256
74d826a11f3f46973b8a467a5c83d0e8427b0006ed91ec5d87da3764111b789c

SHA512
301e36af9859c0710e3c994184ab90215b6c69d829b2a24bd6763d45ddba26ffc7915c4f4b68aea5d132436bbd4b4e4065051bff6ba4aef39b354b989389db16

Download Submit
C:\Intelproc82\devoptiec.exe

Filesize
2.6MB

MD5
66cb0d136afa9e4c0259d0cd2a101ca9

SHA1
2a3f4d15d3e9beaaa83671bfe677ea6e3915599a

SHA256
68575cd4f84cf665c835ef0d3dd33253c532a2e80319040094e09102a413f5f7

SHA512
07c06f1fc868a5a085204e56bbfea4e782d41e1c7c4f9a62c64aa3ecff12c040f93db66fb0d8331d50227f5a182e7aa8d59da9c337b97d085bd3f3947a03a70c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
cf3d03d60d857e1e8eaec67b2c5257ba

SHA1
020cd1685129288487a153b92a027b896f8e7d03

SHA256
4f918b87bfaf13f05fc661051258ad511fdfd537525b6c7758c665c5020667e2

SHA512
8e61f3d7b9d2ba91ea386576f50236b4e9e974da5a3fbe6a5170e4fafcb858ee451a263e42493e50bdb323a6b0ce6ad96cafe97c9b034655b67378ab892875d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
54eaaa7129514ea5def2e45d545941d4

SHA1
5f6fa38fb892f5d4af5b59753ed4498df3240e9b

SHA256
b238daa6d70bdfcedd7b184a902641bafd5784e4222a2324eab8564ca3ef60f2

SHA512
f9b277d21c2be623cee88e240a9751a8dc476377a28a30f004a1a71070357ae48ab1e532cb3215fcbfca2b1f4db242684c8b924e5ac093a6092630cf7b9fa8c7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
c40c33c103cfaa4277ced470abe270e5

SHA1
5afae57a547d9da0f917925a75a995c84e60f801

SHA256
ea6e82fb4a98152fe3a3d53bbe14e90f69231313f1891f1076e0f096e0c96bab

SHA512
45328810fd1da7a1ac8a19f9b3e6385b15456e97bed7c871886243b59544d7261006a88bacdd6b497c25e22b6e9d6bb94559539880a44f734eeb727309dd78ab

Download Submit