34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d

General

Target

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Size

4.1MB
MD5

03a7e9995d0a557460b5d7670ba7dc2d
SHA1

4db8d8d938cb1ecf01cabfad0ee37b4268c0f0a9
SHA256

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d
SHA512

c3ad4bba75ae6ab4476ff5d164e72a0e6bb6b345679a8ebf03f9cec0298b24cbe9e2b3fe9cc2eb622a27ec6413ef7dab282e587105be799e5fdea8facf57009d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpGbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

Executes dropped EXE 2 IoCs

Processes:

ecxopti.exexdobloc.exe

pid process

2852 ecxopti.exe
2408 xdobloc.exe

pid	process
2852	ecxopti.exe
2408	xdobloc.exe

Loads dropped DLL 2 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

pid	process
2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotA5\\xdobloc.exe"	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNV\\optidevloc.exe"	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exeecxopti.exexdobloc.exe

pid	process
2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe
2852	ecxopti.exe
2408	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	pid	process	target process
PID 2720 wrote to memory of 2852	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecxopti.exe
PID 2720 wrote to memory of 2852	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecxopti.exe
PID 2720 wrote to memory of 2852	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecxopti.exe
PID 2720 wrote to memory of 2852	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecxopti.exe
PID 2720 wrote to memory of 2408	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	xdobloc.exe
PID 2720 wrote to memory of 2408	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	xdobloc.exe
PID 2720 wrote to memory of 2408	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	xdobloc.exe
PID 2720 wrote to memory of 2408	2720	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	xdobloc.exe

C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
"C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\UserDotA5\xdobloc.exe
C:\UserDotA5\xdobloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotA5\xdobloc.exe

Filesize
4.1MB

MD5
0749b82e04cc0eedb10aabdfc402012f

SHA1
bc3c84c9342d1d758600d476233977db9e63c6fb

SHA256
2c657eae7d84de0671132719629d84cc300af2df8f0a89e35351b664631a4151

SHA512
c5e331ed058b8301455174ae31cfc98260609329332dfa37a9c7427ec63f7b5af74b97123de024428dee7eb730eb7ae1d89c2b7c221b86f0e61e4dd0bfc9c23d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
34dff6caab16c0d89dd58f51469395e6

SHA1
2350aefdaae7a0180ee84f9865488027959727ae

SHA256
0fae9a57581b4af0814592baa5d0b5205c85f77790d81c3f970e26b6020d4e16

SHA512
2b090c6e8877f807562c204d9395a38b75f6ed036b43ac36dc20e222eb58ef16ac8f99e1321e8cd728b85aed0d7c222f545fc3a699ef14f6726861868d6c650f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
8aeceb9507f6b50fd65b089ba0cbdb84

SHA1
92005a94e83389992218b23335a7dc4dce0597fa

SHA256
459990d6b9de7454b9ed543dfae0f74fbbc3811ceb8549d8d7b4839db988945c

SHA512
75d8efeca431e0b8024bab26e05b337007a64087fb4bffa97adc82b8fd2ec9a4d0dc34526131da0caf443f38a7a22fddd91ed2d0f6ad97bdd828a82b1c55d62c

Download Submit
C:\VidNV\optidevloc.exe

Filesize
4.1MB

MD5
6bd3e7ee736cf5614f4c355a9ea151d4

SHA1
df3f7769df0750fdd4f91fa7f6717261e9788d4f

SHA256
9451d75f781d32cfe5f46bc74a86057a018ba60e90653864d3ee681ce933cdaf

SHA512
a9898c2b9864fff60ed2b2d342e0d833795bcbbc972ff149404d4b1ab7be963254d068adc532cfd78c4515e07006ddf9972dd7480ad793dd98f090cd743943e9

Download Submit
C:\VidNV\optidevloc.exe

Filesize
4.1MB

MD5
d1a091d3fb3c1228308e35f375f5542d

SHA1
ba4f141a7a605265c422af222ea72b8118c9bb47

SHA256
47bcea63165211571d4d11b8f3f2a60bd80b86b1d779f9e7e6ec70ddf3658b76

SHA512
0f0da1645d4a61495997f1227dfa699e1b1d23e9d48491d46eea5e9938c5c1564ee8a983c00a8a0b931ffca147ef7d08b81f35b3041bca3e7d82d13dd1f50760

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
4.1MB

MD5
af1289ef664d07bb2d2ee837e716bfd2

SHA1
d52efa38c9e35cea92954551c9692f7510081b67

SHA256
0dff45b0221db9d32103a85cacdb7442945d56472793f1a307d353d84ca10590

SHA512
ac7fec11bcd181d99a67c5a705fd1c1f2f2eacc70e912a13fd100bdb401701f8e5dd8081571fe42b66b2506e8f0f3496d21b89ed06d37120775269243f4325e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads