8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
Size

2.6MB
MD5

f09dd24e2f5d1fc42f0c9eaaa9cfd8a5
SHA1

694a7b78fbed801f38f93eea5f4b2bfee5dd1ea7
SHA256

8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429
SHA512

176ddc582535da6c1e968db64d0fea42d643af952862dbe4cd97106bc6eee7d93065ac0bef9e86d69b35f77579e133304a56e813a8edcb675b5c47a9652248a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	ecxopti.exe
2824	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGY\\xbodec.exe"	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1A\\dobxec.exe"	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe
2308	ecxopti.exe
2824	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2308	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	30
PID 3024 wrote to memory of 2308	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	30
PID 3024 wrote to memory of 2308	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	30
PID 3024 wrote to memory of 2308	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	30
PID 3024 wrote to memory of 2824	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	31
PID 3024 wrote to memory of 2824	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	31
PID 3024 wrote to memory of 2824	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	31
PID 3024 wrote to memory of 2824	3024	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	31

C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
"C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\FilesGY\xbodec.exe
  C:\FilesGY\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesGY\xbodec.exe

Filesize
2.6MB

MD5
1155bedeccbda90d57992b75ca5c9269

SHA1
3a21ed9d9d0de982b8d2c4b2302cc271ee5e203b

SHA256
453c7d2fb92d02819bf6c0882fd576ccb0958ef9cf977b0cdfb3f8851984d811

SHA512
83ecd0b014713f36f24eda7977decbc9c02f17931f7e339faa3e3b01f8f888af2aa67c16f90637fb129e292b4174bd80de225ccbb93ea1c0b54df5583b772611

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
07deb13c0a0acd55f3caa05530a33123

SHA1
60c8d9066e34188751c5a5581c3255f5ab884c32

SHA256
745deb011e40423fcfbf0db93551eec285f5875ca1ccb63d17df80640864731a

SHA512
abda613bfc78f8256e721bbd724a3ad46f8abed42999f3dbd0895dab4065b1fc899c8779cff195e97e1a31869795e2d566434885f5464fd9743bd8b3dd698716

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
685fcad5610fa6a140784840a55753d7

SHA1
dd3cc30964b78f708a214a59da86022ca6da006c

SHA256
c86800ba8c8946b6e159c8f325e9cf55165e1973904cb69f9d4507a341bdb61f

SHA512
64ca9a70ab4e62a2afda7c384f424ec9aa491def9edf23396c16854bddba3dcba966287fb8df2726b8a9284d054e469b7910bb13b8dc39668c27a01fcfb3c811

Download Submit
C:\Vid1A\dobxec.exe

Filesize
215KB

MD5
c1759a9daa5d63a03c18f1ed84966856

SHA1
d95853d11ab5a6fd53448f4717feb9db14b4ee75

SHA256
f2e1526fd2ba30718abc9d9027363e5ce8f441527dceed1de93a79da6110ee89

SHA512
2a5212001a5b9ce653e03cafae15244a6067682741b4a9971ffae1d8c0269fb87d2280c959706fd44cedc26aa4cfe99e34f63816854a9ac46996dd214e79ccaf

Download Submit
C:\Vid1A\dobxec.exe

Filesize
2.6MB

MD5
25a2d7856de69c420eb57ff08ca6fdac

SHA1
e7e4c7e0df003b59b7d893c13804249c4333a107

SHA256
465801872723c54efa4a817fc90a00acb4900cd96da2a4657b7cb24c089b8e4e

SHA512
911db5b7d7c68ae2a909a538c5111b1d5f7d0d88719fc36cee314eb65f335ab9798ee4b58f74c931d4d648168f1c5129193f6c0e6ded53aebf87c7c40d5ca5a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
7164a2c330ad390004dce94d200eb70c

SHA1
d940421dd5fc4d85428c9a7b988477b513a99c9e

SHA256
51115e3f864f0e6d46661ce4f9d4cbacebe547b25e6016893d7dd487e1d1b166

SHA512
0403f82e93d2b3a292b5083400d8d026339fc320078e517642c36b95279f0bc96c4f2d6448dec45bf46d8521534213cedebe82f568acea70793ee31a8a438ce9

Download Submit