879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Size

2.6MB
MD5

266ea141a56df1ed37fbb1652dc818c2
SHA1

865d0abce2a1b4dbd63e2a66a483251482ae1468
SHA256

879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0
SHA512

b6efcadf54a2b4804764d89ca0a9862e9c462e7c258627a274b68e64836fd7fe1be5c1162384e953c3d9f6fe8da968ff297418c2488d28a3285bd57067d96422
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

Executes dropped EXE 2 IoCs

pid	Process
1528	ecxbod.exe
2836	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotNJ\\xoptisys.exe"	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR6\\boddevec.exe"	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe
1528	ecxbod.exe
2836	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1528	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	29
PID 2452 wrote to memory of 1528	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	29
PID 2452 wrote to memory of 1528	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	29
PID 2452 wrote to memory of 1528	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	29
PID 2452 wrote to memory of 2836	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	30
PID 2452 wrote to memory of 2836	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	30
PID 2452 wrote to memory of 2836	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	30
PID 2452 wrote to memory of 2836	2452	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	30

C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
"C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\UserDotNJ\xoptisys.exe
  C:\UserDotNJ\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotNJ\xoptisys.exe

Filesize
2.6MB

MD5
0d66622c4dff66ea6bc9bab6aa240f02

SHA1
61cb480711778390935f66c3db1cfa8c83db683b

SHA256
913f88201eb627dfc0a751028f1d6d834bf64af40f1e28fc255f9cdafbf8952b

SHA512
c75f6629342cd13a9225ce899dc1d2b37dbf7c2be7b254e4ad12995950c0cb2dcc82e175b18bd2e87dd0ac3271326a61bb2ca70e5bf51bf1113b4a3a64d0d72c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
e6cf24f3f3d4def94cfc9eee4af5c735

SHA1
8b4949db2d06c04167041c84615d65de6dfa762b

SHA256
b3b4981c15bffe9b74dbf8af136063b5af3761660da8ed6ba572ea5a9b14c495

SHA512
63c2ada0dab0d4a9033074027f51a01039bbd2626def55785a8097adcc759616be3675f6c722188cbff2718cd35bf064fb758798f7266ceeefa43d27e51fe267

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
d2207e7289b7c6723e16228234bebf22

SHA1
6b7c700a6ebc7c286b6bc0228f94cf73dcccabd8

SHA256
76dc1f4d9f82fdfcea841fc8ba86b90edae6bc78171c44f0f21752af8846c962

SHA512
37cdfc2957f3248c88e95cbab3cadd438a214813d34d48e8fa359993f93f71c74224fe717701636e101e6ca7e648c8bd67d1287dacd45064c14a7d31862557fa

Download Submit
C:\VidR6\boddevec.exe

Filesize
2.6MB

MD5
050cc5afe7813ab04dbc7a0f2e44adce

SHA1
125591b980376ec0f43f98c7d47b25a6d6cccd37

SHA256
1db0a0560df17c7ca0823d506c2408b2ab0fbd6cfb6e19db152f2901c712a5dd

SHA512
5ef94a0c30dc009e258ffe1b3edef2942ddc8d3ad35afd6c22443b8c281126ed5c437cbe1258a17c7b0392dec3f406518ac245490311c578429501067acb7d53

Download Submit
C:\VidR6\boddevec.exe

Filesize
2.6MB

MD5
0f386f6f5b7b6161e0b812982d08cc88

SHA1
2a24b4201cec3384d2e37d8bf30647ebc2c84fe6

SHA256
94a5a8d7c65697b08e2d719977f6d44810e3aa053c66e789728fc7da7cdabeea

SHA512
686a9be82d15cf3f0f373eda2940d0dd71fe7b6585aa5370da0efed674e424e2d2124400e444159bc46fcfd830dc439d067061768a498d789fedc3e516dbaad5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
1fa3ddef1f491d4027db22d446aa240c

SHA1
28cc8925e8634ce18980db615d1cf2908639a3dc

SHA256
4b30c22274961f1cb1373d1da8b4b2adabbbca2e084bd5d2d4f172816f8570b3

SHA512
8f270a19c4361b449d38485cad91fc1534f5b4bb5b780ce88f7d865be63118b1d62612a6686ada3279f089d9cc030454c546071ad2c39ad0a2e698fee20f903d

Download Submit