cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
Size

3.1MB
MD5

3e3afa63ceb3e7c54a63844f65a62384
SHA1

9bf15d3b10b8ebe5e4361c440242a337dc257f1a
SHA256

cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a
SHA512

5d4c0d2c029c00b5193c29af90633b1595e75809fe9050c2f3317b76d98f1bb540b298255a71c83da2c40dabaf66147494ce289f6e4083c518f4b88ba085ba8f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI2:sxX7QnxrloE5dpUpIbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	ecxopti.exe
3832	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRH\\devbodec.exe"	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidN7\\optixec.exe"	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe
1788	ecxopti.exe
1788	ecxopti.exe
3832	devbodec.exe
3832	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1788	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	86
PID 2736 wrote to memory of 1788	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	86
PID 2736 wrote to memory of 1788	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	86
PID 2736 wrote to memory of 3832	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	87
PID 2736 wrote to memory of 3832	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	87
PID 2736 wrote to memory of 3832	2736	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	87

C:\Users\Admin\AppData\Local\Temp\cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
"C:\Users\Admin\AppData\Local\Temp\cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\FilesRH\devbodec.exe
  C:\FilesRH\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRH\devbodec.exe

Filesize
706KB

MD5
d66c3e9ebd48a6412cb6645739cbf0e2

SHA1
f7c1771ba0162c5daaf9d51599fca62e0667c601

SHA256
44b40374451ba8174c04f9e5cac5677e22b8270ecefd21c04f8b4cd2f19598c9

SHA512
40927c38218a8cea4c514dfe84e4a608b93a4f83a25edc657627b1050b003e8500f9f9da1c760b7c1332a955b43514dcb2cda20cdfad7e2ff1093a6531fab46e

Download Submit
C:\FilesRH\devbodec.exe

Filesize
3.1MB

MD5
58a4891630a18c08d32dad6d641c1e99

SHA1
f6a3daf033063834ba41309d426712fb46080bb4

SHA256
a01d428e0f321156bbde32b7222008f3b9159d2b2d37272c01e68c0425547d46

SHA512
8dc0a5a041821da01141c425dc30d66cca74d089b01fa26358b8d85f65b41f343e78cc9ba80cbcfc351d0161b0c7c231158c087baf5cbe89346209a3d50a0327

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
b4b864aeda5fabdce230b2b332b21c9d

SHA1
94e398d2557a87935984ea6e45a37233a6edb1b9

SHA256
9fd74976b687f0bbecc3ab4375e5dd2e7640a80dd2dbc3cbccb19009815158b2

SHA512
ccbf5c38bc8bea854f106532adda9bb57f2f126d4194e19a5d89ac3df96c1210948f43122ce55f38987363899f4a8cbf5a7477e0de7b50fdc7dafa0318224981

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
46509bc60e76d5c10c24715230b0a116

SHA1
c9cac518735d3b6f86a7abf906a2f988f403d170

SHA256
b4583c88d5d689a9333a7d1ed5ed522769cbe1d2b4dcbca35cd8fc3a9d3e690f

SHA512
0dfe2cc2cc3c0d2d337106af5b78ad50f5ec6d59846ccc53712514a9ebaae7feab917980cad1d8c7547d101f87b6f8c094cf789cf0e3c08a2d22ed7b173ac288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.1MB

MD5
41deddbcca73920cd196c0865e9ef484

SHA1
142978ccb04c1f0861c886ea2bbbc2934acf0444

SHA256
3e1e238690e38e00dde9ff0151bf82014e40724b4a2a16ece22966aafae61841

SHA512
d657b5e6a2b10d2545c2cc5877706f4c0a7ada535e89cb5695210f4b0d51c3716a31284328a7a89e88a0f503a22aee8ad64d026e10a8a12203e15cd78b41bc49

Download Submit
C:\VidN7\optixec.exe

Filesize
428KB

MD5
729af3ece7d8a4396cdca52484d2cf90

SHA1
0295f6c33f120942ef2d056997f55f9ff223593b

SHA256
3b98c62162a485009e8c84be84073a758f794131bf16e6b64c87ee656e8a9dac

SHA512
639d51dc7dd8f869dd28ba096a8806e379bbdd12cb17e72eafbd2248ce6b0878d503c35e3fb516224867d72e19a11572c39fbdeee06c726616ef66aea1b13591

Download Submit
C:\VidN7\optixec.exe

Filesize
951KB

MD5
bc54e73490b4c363f31305bb863c1a34

SHA1
30ca50399c495e8c6ebc77dd8f2efeab982bb5b8

SHA256
9c3a18be5686492f085bcec4f9fca514d37453deac587654f67c4ee54b985203

SHA512
323fef1509c9368d2c992fdaecd398ce68f1a0db1de3149c80acf094277b97356a956120816a308eb5c90fd346756694003b6c21843459b31b1161d712f592a1

Download Submit