1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Size

3.1MB
MD5

0bd66a4871db12318da46f98b6124747
SHA1

a10871344d62ed3daad4cd38b6b2d82400bb8887
SHA256

1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c
SHA512

0fd97884ae4ab6c794ea0dd127eb53f0ed64ece1a2b861e088f047b34798b517c3f68029b13a628bbc98b8d5eda8ef43e65eae028f5e7421c7474af48f35aecf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpnbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	ecabod.exe
2452	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\xoptiec.exe"	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLY\\dobxsys.exe"	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe
2336	ecabod.exe
2452	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2336	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	31
PID 1172 wrote to memory of 2336	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	31
PID 1172 wrote to memory of 2336	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	31
PID 1172 wrote to memory of 2336	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	31
PID 1172 wrote to memory of 2452	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	32
PID 1172 wrote to memory of 2452	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	32
PID 1172 wrote to memory of 2452	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	32
PID 1172 wrote to memory of 2452	1172	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	32

C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
"C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\SysDrvJD\xoptiec.exe
  C:\SysDrvJD\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintLY\dobxsys.exe

Filesize
3.1MB

MD5
88461f2327f6bfe7ff51186b7831ffb2

SHA1
e3af1a06ba8c7c8b12d63a6266e77811cd946ce5

SHA256
1c9aac096348b87c2398104494e285e837a92783b93ec3f2ba23ad0daf88adc9

SHA512
e6c0aeb8b5122132c03631019a15071885186d6abe921fcf470403e5a6a5c85026d2625a165a18dff461a5e563730f14b434d5ea8442abab2fecb11bbed161c0

Download Submit
C:\MintLY\dobxsys.exe

Filesize
3.1MB

MD5
1fb659aae930290261d484ee214e6059

SHA1
85d6f4643e0d427b0a76ddb75d362d3cb1da06f0

SHA256
cad661142d56e3271a7235762153dd3e64888404e75086952ffd4512859ce12c

SHA512
147f537f5e06b294d868762240efbe7efb13dc031d2c0da7bf775386be29e5bcd8b09bca5c27a9a4c813661d8d412dc6f347fe2544dfa252f393ffba23a856e2

Download Submit
C:\SysDrvJD\xoptiec.exe

Filesize
3.1MB

MD5
3410e07f0afad99558bf233d01bb0f1f

SHA1
f3c2cd50e5794c0eb6b6ffe97bdded2fe653b9ca

SHA256
7c5cd29b7af80b26576828db6ec29553b1b13601774bb223021dc76bb5d29fb8

SHA512
67333b455ac9965e680349d06d96f7bb1ddde7ce897e108eaeebe746c751e06c09777bda89a055a18a9990ef8a46a5ef40652e2468018aca834046f371923e26

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
df0eb024129868b062e2b3e7571cb3ea

SHA1
49d44baafecefa5f6306954c9cd5264915234ff2

SHA256
9990024f0e5921c3d670daab352ecab61f423a7ec068e0cc20025cb6773ebd3e

SHA512
28588b47301ae6506356c6cb42e8397553b48fc508a7284fd917475ed87e87bc272cc2376c9519d9e654c62552c456ec6963163b95b9483e6b2429f93e97c6e5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
b60d9999b94020a8b65a8fe378869981

SHA1
d3e92a8c648a4058dd993980fb48ce278f37e11d

SHA256
7df1e1b9c5fa860efffb098712e3c28708288ad01440c936d5583d007a8683d7

SHA512
a5ae1d44c8a40f19b14a60149657a9fb3d180a436fcdd7b5c7f66457173b20ef7a6a803fb0c56b6c9bd98667300b147199270df1bf1cc21bdee2fa871f5e4d22

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.1MB

MD5
1826518e6c9383da888411411f656b6d

SHA1
3585d78c736e6282be7990d4de7d0db47d48172a

SHA256
60cfb50dd63c29a930bd405b63991e51e890b7ab0e608c43bd94de78bd1f993a

SHA512
7026ab8ffce5fba9920ff20ea3baff6ef1694dc6f090dc52e7deab8f378f44d7d2afa8bdfe9b14053005fe742de3e786514b749e944197212ac936bab2d20864

Download Submit