77d87be7e52fa7d8e6fe95da9879f3f76a6aef416a9b2823edee5ffd049fb982

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50671fe5a08ce927be83ce02cc151020N.exe
Size

3.6MB
MD5

50671fe5a08ce927be83ce02cc151020
SHA1

261affaab1c258e4c0ea175eb5a8e6fb94db525c
SHA256

77d87be7e52fa7d8e6fe95da9879f3f76a6aef416a9b2823edee5ffd049fb982
SHA512

dd52ff8325fd85fcd49e1d5c8ca112cc502cc090492881f6eb7baaa25fcea67c391e7b43999f94da38205904fb76d0fc07e0e4a93d1c2046f6fc5662d8f25ba0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8:sxX7QnxrloE5dpUplbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	50671fe5a08ce927be83ce02cc151020N.exe

Executes dropped EXE 2 IoCs

pid	Process
3716	ecxopti.exe
4456	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5Z\\adobec.exe"	50671fe5a08ce927be83ce02cc151020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU9\\optixloc.exe"	50671fe5a08ce927be83ce02cc151020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50671fe5a08ce927be83ce02cc151020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	50671fe5a08ce927be83ce02cc151020N.exe
1740	50671fe5a08ce927be83ce02cc151020N.exe
1740	50671fe5a08ce927be83ce02cc151020N.exe
1740	50671fe5a08ce927be83ce02cc151020N.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe
3716	ecxopti.exe
3716	ecxopti.exe
4456	adobec.exe
4456	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3716	1740	50671fe5a08ce927be83ce02cc151020N.exe	89
PID 1740 wrote to memory of 3716	1740	50671fe5a08ce927be83ce02cc151020N.exe	89
PID 1740 wrote to memory of 3716	1740	50671fe5a08ce927be83ce02cc151020N.exe	89
PID 1740 wrote to memory of 4456	1740	50671fe5a08ce927be83ce02cc151020N.exe	92
PID 1740 wrote to memory of 4456	1740	50671fe5a08ce927be83ce02cc151020N.exe	92
PID 1740 wrote to memory of 4456	1740	50671fe5a08ce927be83ce02cc151020N.exe	92

C:\Users\Admin\AppData\Local\Temp\50671fe5a08ce927be83ce02cc151020N.exe
"C:\Users\Admin\AppData\Local\Temp\50671fe5a08ce927be83ce02cc151020N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\SysDrv5Z\adobec.exe
  C:\SysDrv5Z\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZU9\optixloc.exe

Filesize
3.6MB

MD5
77f23cf3d1bad2abc125ed43ccdae5d9

SHA1
0adfbd7d7eb764c6a0eae6714c1fd9f751b5d579

SHA256
6d63164c53ca7ea647882f20864d66af3594676c5296011558c95bfd8d6ab0d1

SHA512
d9882fc47d8a064358fb9aec7d77edffb35eaef51c646c5ff2c5246cbaa7d9635788a4159930c9ca6a617f6c95ec656114ad1633d5dead33a093f3b2acb9e6d9

Download Submit
C:\LabZU9\optixloc.exe

Filesize
877KB

MD5
6978c0d4a29925471bbe909ac5e3cae2

SHA1
502862d7b133c02de51e53399255f07526e58f78

SHA256
0ca8683fdc2d76b30010fbbb024623ee6be90c86b4601dc8306194470fad5dd1

SHA512
a7a8a5e6fb6d9424a2ed5458a6bcde77266f9f4aa71d8c815634d5f2627d782e85b26c2a5f506290efc5fade211c61d54edae162a932e0f94876692f564660e0

Download Submit
C:\SysDrv5Z\adobec.exe

Filesize
1.1MB

MD5
fc43689025a4a3a4455173c1451edd1a

SHA1
8fc8eb9a262af0e95320494ccae880b3c9c3a2a4

SHA256
e3741bdbbe4d59385c6a067b9e725639d9e3af5f7f35228aa2fc449d26f67864

SHA512
431ffdf899718c0e403ac107c6d7a262944e192dc574e7dcf22dafc5e17bdaeb7c156ab30c6d0d65b36140ff4850fca9fd7c0f64c7adf8fe8d9febfe28c39d85

Download Submit
C:\SysDrv5Z\adobec.exe

Filesize
3.6MB

MD5
b277d7ca14cfd63d2ae689aacd33c1c5

SHA1
2b04a3171a397f50b2a5b0dbbe35750f01e22e82

SHA256
7c5b686952c34ffef26ad562132558d497b64bec1bad6f1e1680e39e05b5d507

SHA512
07c369c17df2c7535beb1212436eb02884ac92eae339cd8e8b9950434ddb8687a6b1fe4be9de3c9bb81a8800c4f48affaf28e42d77299a9353c83ed781cee9b3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ca9aefbffd4a80efe208f12dbfaee5bb

SHA1
a3954a09f3311a2096f6fc58b5f8d11846bb6008

SHA256
592405739ac4e7f35e470f9e3d02e965d2008ab66836f1222ce4846a543fbf7f

SHA512
3b4e391d15c0b778eb5808b371e601abc579aef893260cd79254d90dd8a9c1d6e44c147dd96f7b8ebbf48f15e15da3b02c8fb18f06cfeb4dfee772c98abeb5db

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
72dd4189cda61d4528d4b50b16896cd9

SHA1
d042d4bb8016e284edca9e8021046568a8a0522e

SHA256
821d85df2996dd60afac25ac65f7d026c5b6ed69742cd98d421b0112be88e64c

SHA512
16a51d9582e4079e3448eca7e6bdb7c6d8a43b4b9cea9118e2cb756fda18071c7f637fed6ff0c6e8cc9c9ab432bf326d8396e1a0a0d1be50a7c0c6711fa48798

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.6MB

MD5
ec742129252840378ecfa85a7a9554e8

SHA1
68325771c98b1b7269996d9f71e140990108383a

SHA256
5d694ba5e4e50b90652d7bce10fd677ef722eeeb896d612f102001b7ac6d533d

SHA512
918d7a5242cd77b54afbb55910d3f216923a2002745a2b5f375bc77075c414f351fb01a1f55f900b155c7b7203ff93d970342905f0ab51eb1599a06746a4e3d0

Download Submit