be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Size

3.1MB
MD5

86cd062d2f3e66cf9355f2e2f75ba382
SHA1

9a821b521b96ce9a5acc41c4d4070339e23434f6
SHA256

be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968
SHA512

b56b59dabefef3e17cb278af6ab2070bcbe2521908b39b83411b2965ca144e34f9072af1718c1fc9cb3a869b69af0b7f222788ac44e9414719301159892aa041
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	ecaopti.exe
1672	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBJ\\xdobec.exe"	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8B\\dobxsys.exe"	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe
1944	ecaopti.exe
1672	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1944	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	28
PID 2944 wrote to memory of 1944	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	28
PID 2944 wrote to memory of 1944	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	28
PID 2944 wrote to memory of 1944	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	28
PID 2944 wrote to memory of 1672	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	29
PID 2944 wrote to memory of 1672	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	29
PID 2944 wrote to memory of 1672	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	29
PID 2944 wrote to memory of 1672	2944	be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe	29

C:\Users\Admin\AppData\Local\Temp\be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe
"C:\Users\Admin\AppData\Local\Temp\be58d5420d979948dc4645c56c6d7a202df6a9b69c0bf2a3ba4d550aa641c968.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\AdobeBJ\xdobec.exe
  C:\AdobeBJ\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeBJ\xdobec.exe

Filesize
3.1MB

MD5
832806d70df336ec0437a38275df5646

SHA1
b3eabc4762810de86a56255adf26f1b76e39d3a2

SHA256
1233a6f24b7fb78568b8aec79159c2784a5d310c0e559d856e9422067ddee230

SHA512
6dae008e56d606781d318546f71261be5a616cf20387abcc65e37ff4f81c31086e5f4aa14d9974573f02069dadc5b6631379fb0084b2cea35fddd0f0f3c2c2ca

Download Submit
C:\Mint8B\dobxsys.exe

Filesize
3.1MB

MD5
28d08e2374634ccd51aa9aea255d8117

SHA1
41ca2bee3b2ac25a14d49780395f6ff089d415a3

SHA256
f2eae8a347fe481383b209f5c4f4b861f9f988a06f9cb1d6f852832c395d5151

SHA512
7a49736469936683bada9df04852dba2465c844e832583fddbe1d27d87bdce4bbc14e832142244c6be3dc927e6296726c1c393b9b36fc976568b7f3312b1a835

Download Submit
C:\Mint8B\dobxsys.exe

Filesize
3.1MB

MD5
6b5ada6783a6e0fd4ade5ed71f743495

SHA1
73d6c0192dde72c3b553b9a9639f63d022fdfe1b

SHA256
c56798e85a0e6841dd47c9a284a3a236463353462de828d5daadd617c2e98267

SHA512
e6c6cc5cb4defde49eca47993ee45a93b9e1a63e89bdb5b9a6a702c42022da7da2f8bd5748faa493f51ecee5ed3548420c49de273727cf12b05c3cde2d05518a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
55b9de7001988ccb36891ea0381c18fb

SHA1
45fdc6d20a8f371279a538fbfe81e110766457eb

SHA256
c0171afe0b273bb3c9988c49f4502d42f17a84c3537abf062b1b603984ff5bc2

SHA512
761a0c99dc852b08712031c4a741476ae6ae3e29910854b8feb192030e459c67369975476497f5be1358df5c7e6437cb5d8600b94846e36f49070ba61b766b0b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
a5b87402b5b6e9d01c269ee2d82bc0ac

SHA1
ae321c009c0049682edc05553a23e3fffeac8686

SHA256
0c0a680a8e19963e56dae6b6e9bfce41fa404c6ca603515a00a2096ea83a8764

SHA512
7a9404754749ec0921316a7a77519df75c307a0d2a1f14e6ecd526947ed832e51570b5331614c36b07345d38c26926b14f7729a28ff58a57f02ed4f0f00cdfd4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.1MB

MD5
9a76faa0dc133f60ccda45a156844aba

SHA1
b6e9c73ad48cbab7d805f1bd97035fec42e44dca

SHA256
73753c533ea6038455e5546c68572a6375d2d6d6b143471446d01b6a03a657f4

SHA512
130201e058a7c4b52efdee601d2fdd8fa6f92c1f78013338ec74bcdb8ac41b6bf2f1f4c04e35fd2098e676de27ce213b6f965761a72bde09958b48e795d19d75

Download Submit