c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
Size

3.0MB
MD5

cb07d47e6f83ea340f25fe0d97252b48
SHA1

746f951ead450acc3ce2ff5e5a18a1a7d56867a1
SHA256

c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c
SHA512

52fd0df1f717ae4e568678e0a6d6ae635814ef165034ff7763721d6a7e48af6fe5e3af4c8e6f776c67d23e50bf075e0b36a973bf97c1ce2413bb9915140d74ff
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNX:sxX7QnxrloE5dpUpFbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe

Executes dropped EXE 2 IoCs

pid	Process
2408	ecdevdob.exe
2084	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeA6\\xoptiec.exe"	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJ3\\dobasys.exe"	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe
2408	ecdevdob.exe
2084	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2408	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	31
PID 2500 wrote to memory of 2408	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	31
PID 2500 wrote to memory of 2408	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	31
PID 2500 wrote to memory of 2408	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	31
PID 2500 wrote to memory of 2084	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	32
PID 2500 wrote to memory of 2084	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	32
PID 2500 wrote to memory of 2084	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	32
PID 2500 wrote to memory of 2084	2500	c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe	32

C:\Users\Admin\AppData\Local\Temp\c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe
"C:\Users\Admin\AppData\Local\Temp\c11fab88c4ec3a535135389ada537d37d4e1ff93b61f3735800588133bcaa73c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\AdobeA6\xoptiec.exe
  C:\AdobeA6\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeA6\xoptiec.exe

Filesize
3.0MB

MD5
98734288a232221923e8aae31405537c

SHA1
e7d3717d50bc405e8e62624360f138910ab96b04

SHA256
c965299aabcaf71bfc7c45de0bbb2d57b60613ac31dbc0d8efde4e99761a623c

SHA512
77e91d46050b01d5a2ceca357eb7fb5834ea97eae17d4981b27ffdfa51c7326797cf9c9f323fb79cdca4d6356ed77a0fc28e227ae60c6450a6bfe7542a94d87d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
b4f13ef569bb6f854ae487f8a106e011

SHA1
1327e50fd3288d2fd351f7322bdbbb6f6b3073a1

SHA256
f68bf43b2db357b32aaf5a871ac6706542e37412e1aa9d5339335e324aa7dbf1

SHA512
1d1121007f1c690d987d10a86b966f6af2bd3981513479a0f6a4f3aecfbb50381c7acc81ef824b76d4d0d60a2d2f3d43481a32bab3cc83ed7e51248c731bcd69

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
74486f05a38b45a096637b2ca1cecf2f

SHA1
3997c76e1d75b19d2ae80770cab957c5c58e661f

SHA256
f3408400d5b7e950cc53326057b51fb3f79e764a70c52ee22a5da9f5909e1df7

SHA512
d005ee9019115375f02a743f1b1c2ee4e33d1920bcacadbcce2814c93176bdd20f5f0e7df3068df8bb44f27539f2be6fa2f7a08f5263a55af6e226d01a5ea843

Download Submit
C:\VidJ3\dobasys.exe

Filesize
2.2MB

MD5
1b1d01ef94ccb4e2c761db7ea4ff7c27

SHA1
a33fa1ad1108059ad660618b711fe51a49db662d

SHA256
4150a76e035801a7b25d6b4d722a553e5d60c75e456b1cf60d182938c49215ca

SHA512
92e12caf64fdb9adfe53a210dab804e5c6b7e8e1c51a066551fd512fb335052c14bbb6f4c3447ed9539f8e540ae4c906c0b3199a14feaeef810316723c9bcaae

Download Submit
C:\VidJ3\dobasys.exe

Filesize
3.0MB

MD5
b8f8ec91187a45b65f3f66001286304d

SHA1
852e3830b00ec5b6f568690b309d8a36fb49d023

SHA256
770b63b3f48ee4bcc17ce6a23bc8d060130cce878fdd274b48dc1ce9d61f79f7

SHA512
e741566946c666ddb581358bebd94e4d66955c13793e3539eb157effc60bdf872796d3e985760113f40ea3b854984ff953d0127e06d5c301e569846c6c1f9752

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.0MB

MD5
9dcdcca8e061b2a13496a632c5b1a806

SHA1
79229e1aac33191879cb0d0d768b1e8f11cbc1e7

SHA256
3aa7f33c5f988f8810584ef9a3bc8d0d49e4cf3f3930d5d7b9e0154f795191b6

SHA512
202790e18a8220d3e55907b68327e6e8a8af3b0f81267955b515d1a36c8754be2c113c819326fd3baf7a95bc909881e15df2c709a275c2d62d8cb9bfa1bd4110

Download Submit