78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Size

2.6MB
MD5

77ae978e70a61e48348de3de0fe1c507
SHA1

b83817213588ed4a1c6d62eaf36d0ad02b5dbeb2
SHA256

78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e
SHA512

44d5b525a7ba8042af22918d5d27ae9d98df81a627382253a577d400f488bbf983d70dd037be7e2a07077463a31622c36571fd187e0968ea3e12a44c8c15e050
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	ecxopti.exe
2572	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUO\\adobsys.exe"	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUR\\optiaec.exe"	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe
2296	ecxopti.exe
2572	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2296	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	30
PID 2604 wrote to memory of 2296	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	30
PID 2604 wrote to memory of 2296	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	30
PID 2604 wrote to memory of 2296	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	30
PID 2604 wrote to memory of 2572	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	31
PID 2604 wrote to memory of 2572	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	31
PID 2604 wrote to memory of 2572	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	31
PID 2604 wrote to memory of 2572	2604	78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe	31

C:\Users\Admin\AppData\Local\Temp\78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe
"C:\Users\Admin\AppData\Local\Temp\78d6a6247cc90761fa4e6c107cb35497b0e14b054e42904d6b38ba3002cfa93e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\AdobeUO\adobsys.exe
  C:\AdobeUO\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUO\adobsys.exe

Filesize
2.6MB

MD5
566474725a5bb5a4827ba1ed509e8197

SHA1
0ef143354f7cb03d8a6071ee035cc57dc91cc9cb

SHA256
a010c4d70829254ee6dc6ab90a6bf6fe5f94da671a46331d74da12cfd1381b95

SHA512
5c73ac33fbacb57e8b46b7cfe064d32734470b66a72ad31b9c249f5c80815e27741e2517c49c72f2d80683803150a64a15512bccbce8c6da2f84875b2f9fdb06

Download Submit
C:\LabZUR\optiaec.exe

Filesize
2.6MB

MD5
778f0929cb620a226a280678e2758e50

SHA1
a2f54197a2395d95797316badfb0cdef314897f8

SHA256
67a4b4f67f4fc78a8f0917a0a9054d466d163cfc0a40ebb13bf529390d2085d5

SHA512
ee290577b1780dfbf12c990168e0de3ca1a043459c63dc33869fb9f7e41567ad560820a8e178260493607c5177d9f9104f7ed4c92b2246f01330844db5646b57

Download Submit
C:\LabZUR\optiaec.exe

Filesize
2.6MB

MD5
f2578b599e9bee994ea658d06a3cb10f

SHA1
0f30e4358c4f6ab3be1b2ce010b11925c3baa87e

SHA256
b84326df1a91ee2b01b7ac9f4a179285a2d19e30c1eb43085e6f27963a4fc203

SHA512
8721295cb393e9d92a3460ae13d2d7e96752b9580e5a6c10707cf6ce5f77a976c698fc5068c5601d5828a3d4ebf46002d88b1b818d716a50588d26dd7bb6eed2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
f4069e56b89a7243192c6dfe73b2428b

SHA1
c61a47ae0e9fba5bbdb479a2a968731e4b6cd923

SHA256
b69b09ae7d98b422cb877e133802964b95d46e8d6515f8db80ec7c8b874e0fd2

SHA512
dbe79feb3e1214ced4e729a1e71d102a5d20ab0e51cc73c1315aa352fdea8122b8a2d91f7b958677c69de12e196ed3cb01a55abe009a297ea5d99a2a8d4f62b7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
eda86f92b54aaa78ec597e2a94a35971

SHA1
20e81e7283f05dae04c2a6a008bda9e4ba517822

SHA256
e851560f42b4f72bf959039aee4f4b68135421b6ee3b1ea91be007cac0f86faa

SHA512
24601ed63153dbe7fac26ebbea7398a1c9316aa108a08f7797060aa6965913544a0853a461f8c3bc5ef15c009dbf41116cefde17a52cee5014e9bf83b8de9cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
2c2d9dca69ed0c47cdb576e3a06e66c5

SHA1
af2bfec10481eb32de460c64618357b592803f01

SHA256
b264805720ac42124c3e805d212d926d0db7c7df3e7d782a84c9d508a1efb09a

SHA512
f8ad3e824e01371c92025ec720dadfb6efb94729f90fd0e189f9dc38f6a24fa19c22a3b75618b73dfb40f5bca30c28647635a1ffea5449829de245797215958b

Download Submit