2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
Size

3.2MB
MD5

764da03a6da680c02144a0a5566a15c4
SHA1

77f091368a2089786e54daa75cef1d1d1e8fc897
SHA256

2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2
SHA512

46f489f76bfac715f93a9314fef4bddb14c737a7a7f1c67cffa57a9d143e1a7effb709db912106fb83f398b600281fd484022833e6eeddbed94da4f70221f8a9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz:sxX7QnxrloE5dpUpMbVz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	ecxopti.exe
2664	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUL\\adobloc.exe"	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0F\\optidevloc.exe"	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe
2216	ecxopti.exe
2664	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2216	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	28
PID 1712 wrote to memory of 2216	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	28
PID 1712 wrote to memory of 2216	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	28
PID 1712 wrote to memory of 2216	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	28
PID 1712 wrote to memory of 2664	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	29
PID 1712 wrote to memory of 2664	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	29
PID 1712 wrote to memory of 2664	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	29
PID 1712 wrote to memory of 2664	1712	2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe	29

C:\Users\Admin\AppData\Local\Temp\2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe
"C:\Users\Admin\AppData\Local\Temp\2ee30b9f74cf3e0fb0ef2c14de6aaeeaac13688e4379c6b4a3cd2604029498e2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\IntelprocUL\adobloc.exe
  C:\IntelprocUL\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUL\adobloc.exe

Filesize
3.2MB

MD5
262064ce2ad8b64f7988d2865c24886a

SHA1
9713814fde229c8cf11c0bd674f6a2baf224b4d5

SHA256
5de3cd18a2b6f55786d44d4097d684a663640fe66de241294235a802d047c795

SHA512
df8f46513a72f6ddb119e848f028a726621163d7aa456060499b1c4e3d103231e29d00daaafe7ed6a0bfb586cd7a4f97d7813820b4b23a11f8dadfe69f2abcf2

Download Submit
C:\IntelprocUL\adobloc.exe

Filesize
2.8MB

MD5
cb951f36e392ed5fe258b6c821159946

SHA1
025aa2db8bf12e6d7974b621730b24eca35d11d2

SHA256
e5e5f3d7429352758e57e87ffc116828bde1ce4331f0f07c2e9456bbf73200b4

SHA512
fd92dad56234e8a6f44f6ed36d231768aeb01e50f9aa09860b20a466bb69c5357fa27e97dc0c136663dd3e5f6df12387fd085ab54f9010273e70fd65bcd8533b

Download Submit
C:\Mint0F\optidevloc.exe

Filesize
3.2MB

MD5
8f694cd8df424912e79b883a7caf8611

SHA1
c84cc04c10c6da9281be2b3cd13b5f294f88b256

SHA256
461202b59b1bb53e1e6a305c6a6315c18f36c3602f1f8db9beafd25fbde6a5c7

SHA512
abaaa95fc11dbc610b701251fd5efdbafcafb8e6718533118cfecc2141e9730d74675f76340b68a48e0c8835c4ab6a4232eb1a001a224f931247b1db8f130cd3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
d491a6c1560bd2788da935b4fe79f0e0

SHA1
8c3bd135d1ea3b2bcf1464b606ee8cc5a6efd2a4

SHA256
9cc5b544efbdf6c2b4a8326f6eccd8c14d6602587e64a026424100c10cbc7161

SHA512
20e82871b2785f574d2344c0812c795951af0255a75e70cab7cb8c7eeb6d477e2596523aaf6ef422ca2bff23ac38bc0831c4ef577b7914f78f5507be56504c65

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
081a52e309a9afcee43710bea8da851b

SHA1
36b65186661aaa542c208e95a81faa77eead1900

SHA256
d5753d8a9c0f0e1ee7b478388c5ace7154255bee2955191e948b768ba1dd6cc8

SHA512
96395da5d6d4a538969a06d44799274bc4a951316faa442d9d301cf0ff6f78b58c624bf17b18d6736a922805e17d02d9f6079b6036a7c8b83446d9b1090b17c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.2MB

MD5
a45447333f7d4ddb52fed38be400736f

SHA1
e411d78da68006f72c564154853124bbc743cafd

SHA256
b7e9c7e01d32d436d227a85a06b05ccec11e7cc0401c96a8d55c863a3781f3f3

SHA512
d155cbccd0789d87f9787042a58ef1e03cb5b7bee279a114bc3803995aa9aabe115cbe45e4ee2e1e30d22de2060cb713e6b554d4ada00d5fced4a9a4d0a1c980

Download Submit