9738ef03ce2bfc407586066e252e39a680e1094b6af49f23fd67a945b3bfd408

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714f42f8883edee5fb8024725326e6f0N.exe
Size

3.1MB
MD5

714f42f8883edee5fb8024725326e6f0
SHA1

3f34bcf888acdca5f71bb3dc911ab9670425981b
SHA256

9738ef03ce2bfc407586066e252e39a680e1094b6af49f23fd67a945b3bfd408
SHA512

476e8e8e4568d67d9c422cbc3bc3040548dcd7d46b51e88650b2d714ad626a444f0edebc74ca6c74c911c987aa77c03fa36f9cff965dc0b1d6e24dcfd5730218
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8:sxX7QnxrloE5dpUp0bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	714f42f8883edee5fb8024725326e6f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2832	ecxdob.exe
2644	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	714f42f8883edee5fb8024725326e6f0N.exe
2932	714f42f8883edee5fb8024725326e6f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUA\\abodloc.exe"	714f42f8883edee5fb8024725326e6f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8K\\optialoc.exe"	714f42f8883edee5fb8024725326e6f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	714f42f8883edee5fb8024725326e6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	714f42f8883edee5fb8024725326e6f0N.exe
2932	714f42f8883edee5fb8024725326e6f0N.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe
2832	ecxdob.exe
2644	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2832	2932	714f42f8883edee5fb8024725326e6f0N.exe	30
PID 2932 wrote to memory of 2832	2932	714f42f8883edee5fb8024725326e6f0N.exe	30
PID 2932 wrote to memory of 2832	2932	714f42f8883edee5fb8024725326e6f0N.exe	30
PID 2932 wrote to memory of 2832	2932	714f42f8883edee5fb8024725326e6f0N.exe	30
PID 2932 wrote to memory of 2644	2932	714f42f8883edee5fb8024725326e6f0N.exe	31
PID 2932 wrote to memory of 2644	2932	714f42f8883edee5fb8024725326e6f0N.exe	31
PID 2932 wrote to memory of 2644	2932	714f42f8883edee5fb8024725326e6f0N.exe	31
PID 2932 wrote to memory of 2644	2932	714f42f8883edee5fb8024725326e6f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\714f42f8883edee5fb8024725326e6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\714f42f8883edee5fb8024725326e6f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- C:\UserDotUA\abodloc.exe
  C:\UserDotUA\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8K\optialoc.exe

Filesize
3.1MB

MD5
fe15e3300f1cf0a287ce73a71333e58f

SHA1
9b63cf170c6a168b1286435583c1ffb86a5cd689

SHA256
065011d9ed5ef35b54a0ee7bbde01ac28f48b19e037d8079642585c25068486c

SHA512
1f23f51ef4cbbd1894ecb28f23815341cfaddeab70573fcc36d3a6157c41830e0a95e03a10de6de97a001df49c6f032a61520765dfa721e22d90d0ade1ca6dc7

Download Submit
C:\Galax8K\optialoc.exe

Filesize
3.1MB

MD5
f16d3c919ec11419ec4a6fcfc0d4c07a

SHA1
7c26bf11738a20bc961d578de0057c5868319842

SHA256
63448e6401627b7fdb5d253de5d9dbea35c089f480fb2001ccf8f6f11b557ae5

SHA512
a61958381ca78d8b48e47d277c45868a56d37ca5e7ad76c3d4bf395bfee4ea6b2ed95277acd6ea4cf02286fa355f11e7a197459f16323af5e2b8a16f79898acd

Download Submit
C:\UserDotUA\abodloc.exe

Filesize
3.1MB

MD5
c020199645f3c149773ad6e79b5a3970

SHA1
0a8b7de3e75e3f0bea06df93858b794c14d9d542

SHA256
94d1998ae7e0ddbd2f438a644debcbe8762883cfedd0eac5f8a0ecb7a1aa05a7

SHA512
d9544162f1b93f82d65ed4477eca1a1c3daaf0369728f5f53c7a0c321ccc3bc53525bb84ec5d1c1fda39c05b270c567ab93ccd402e4e4be3623090a638d19c0d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
18db722208c469752b72aeeb46ba671b

SHA1
bcecf5f9a252ace276252e91da2aec84754d0b66

SHA256
3583b33c4e191e80771447e35afbad6e4a38e59b524a67cbba0e6262c0dd5429

SHA512
2331d8e78f68d5918138970338d6588d074fc58fbc8234baa2e2e78838d3142e65ec169def802224dcc97739f209f6ee993d3160cdd4b161cf6ddfb49bc65c1a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
a2540c4c2c0a450c4a73270eaac3b064

SHA1
bcdf129507a4da77365ae5d5eb9850fddde356f7

SHA256
eb771595888f16cc4bd1f6263632efa37ddc18fe7ce924ebcd0146e7025fdf71

SHA512
626fc660120fefbd11938fbc84f385a865b176a0c3d16c0ccfc74c2fc5c176aa08c9ed6318bddaea2f7e7dee30f8571598e72fe62915769ab5e906640e7c6858

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.1MB

MD5
e45c921250fb78b2cd0576ed5e59a96c

SHA1
be22665a27b8f8edfe434971775fbf05e87c2d9c

SHA256
d1b2f9bff7f469e737c551541cf0258d849af05d00ccbfd56e778814b50e8cc1

SHA512
061ff40eae2a4530c2d033c657ba6f2c9c4e795364de283661eb70065c11387e20889dda8aa8347c4d76325b6b9b099d9a709d8374c12a61d5d5098f64955721

Download Submit