10ba075df6e7639a4af6492c0c5cf6cc97aee5b165d56ec124cbbe81dabff288

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e8e19c8644b1381121f014cadae8460N.exe
Size

3.6MB
MD5

7e8e19c8644b1381121f014cadae8460
SHA1

672d88944b19af0c0b8216fbd4b41388850b0957
SHA256

10ba075df6e7639a4af6492c0c5cf6cc97aee5b165d56ec124cbbe81dabff288
SHA512

58a0fe94bcab66ba63515072dd174d195f369a4fccf010d7efb46f0efd4e07441b427c9fee54a707a767ddd9cdbd484bf7ee17ea70f27c9d0e39e49af7444de2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	7e8e19c8644b1381121f014cadae8460N.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	ecxopti.exe
2044	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ2\\devdobsys.exe"	7e8e19c8644b1381121f014cadae8460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5H\\optidevloc.exe"	7e8e19c8644b1381121f014cadae8460N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4700	7e8e19c8644b1381121f014cadae8460N.exe
4700	7e8e19c8644b1381121f014cadae8460N.exe
4700	7e8e19c8644b1381121f014cadae8460N.exe
4700	7e8e19c8644b1381121f014cadae8460N.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe
1948	ecxopti.exe
1948	ecxopti.exe
2044	devdobsys.exe
2044	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1948	4700	7e8e19c8644b1381121f014cadae8460N.exe	87
PID 4700 wrote to memory of 1948	4700	7e8e19c8644b1381121f014cadae8460N.exe	87
PID 4700 wrote to memory of 1948	4700	7e8e19c8644b1381121f014cadae8460N.exe	87
PID 4700 wrote to memory of 2044	4700	7e8e19c8644b1381121f014cadae8460N.exe	88
PID 4700 wrote to memory of 2044	4700	7e8e19c8644b1381121f014cadae8460N.exe	88
PID 4700 wrote to memory of 2044	4700	7e8e19c8644b1381121f014cadae8460N.exe	88

C:\Users\Admin\AppData\Local\Temp\7e8e19c8644b1381121f014cadae8460N.exe
"C:\Users\Admin\AppData\Local\Temp\7e8e19c8644b1381121f014cadae8460N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\IntelprocZ2\devdobsys.exe
  C:\IntelprocZ2\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZ2\devdobsys.exe

Filesize
262KB

MD5
27d21dcd50f3febf8099777aeba4caf1

SHA1
7fdc291c75b12a62bc370f13776ef7975c156bbb

SHA256
4564fffe2407cbd7348970571ef7099453337d692e0ccf983cf7f7fefa31af33

SHA512
8a94c93d3880718083c097a659b3dd3e1ab94895a4232f21c8b388c711ef0baa6333be23898bfe5b35cd8e40dbe03bebe358b5af8ab7079702b6f9f35cf3851f

Download Submit
C:\IntelprocZ2\devdobsys.exe

Filesize
3.6MB

MD5
9b02def7d87e3bab2ce7538af4101443

SHA1
d70506612d9546dcb9a37a9df780400146119891

SHA256
3b34e395a8a1f81806d5294ab6c489067d1b8a4137d4a5fb18c7d7979ee7fc50

SHA512
1f4ca2c17f485a300811c28c293025e2f754813f68223dab241880b32f35f3c372f79d70ea442494c0aab24d0b61758b77a4269da305c82d1199df37dd3a0586

Download Submit
C:\LabZ5H\optidevloc.exe

Filesize
3.1MB

MD5
14ab8ee95637b31b00e820185f820a93

SHA1
cd376e98659585235ac8c675ff274417126b9a05

SHA256
6b90bedc84589072db1046627639fc59e8dd13fa3a52f7ed1c94a7622ffa967b

SHA512
bc9033e137ead9fc30c0d182fc1a79c792f45a05526c18cf2e2b623cf1b4e8bbc3c9f5974ea0eca60b7a6a3923ece1ecb97fb867e61e38b3207636b62a01d061

Download Submit
C:\LabZ5H\optidevloc.exe

Filesize
3.6MB

MD5
0d828aa1461ca2adfd9b08156da46a5a

SHA1
3a3641e7f7fe46610fe3919e8a779ecb47ce53c7

SHA256
9d9ef10f9e1af88f85ef9b7275e10fa307674cd806e1efcacac22d5e62f6ccf5

SHA512
5375cb18dc57df60f7ec3f39b973e1bb6af3c55970c7d55b6cf3e726b1ccd856b03496380a6a116c3360cf4f1f19cfdd7119582467db24c1e1b080dba557712a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
23a4a330264cb43fcf4bf4569497a7f2

SHA1
495f4b16ad9706fcb8a34fa6de7f45f9a54e5447

SHA256
afb8670697b56d0b0cfe4329381ab0d666241b65de024ccf6b91848b7fcc9f78

SHA512
8c5a1a2ba7de5ce7641e55ec12ad767968b37ddef3e97767924de6c6bcdbdf93c5180adff00ace44ba00955009aef06b5d0d91e66b28852c7083fe89e254e52d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
46da87d52e6c9f97aadc9f9e3cd14944

SHA1
4326dd4661771b66255bbfa027a6d40d51212520

SHA256
e5d3090b22271454ec9815a33517b2b0a78e73bcc4ea22ed675f5062a8bfe6ee

SHA512
4694f4417b2310d56099488320901052539ebf8bbf5d2f9c9664125b10cf2cc4c7e663ca7149c9254ed54ee9d1ea6d0902b16a131f7c87f3a67cb5d135efa722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.6MB

MD5
c5a1e1830c5c6a1c98dda692e0df8226

SHA1
1edd8a16d5ec14e6b6bf1942da1630e0d66c2bc8

SHA256
acce095972be348caef793b6e038efc42119a16b2afdcaf415b7f29028a9428b

SHA512
7eaed98c5e781a9980ecbad379b5f39ffb5737561954edbffdfa73cd868f5bfe3b21244c9e7a209dc02e06d269c5dfaa04556d184d5b9417b3020db5a15a5ac0

Download Submit