5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Size

3.1MB
MD5

2ffa18d49924b3e47adca70c2f624470
SHA1

e954bb0f912d094a976eb20861bc68f4e7dd0774
SHA256

5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345
SHA512

185d27bab7f0e1a9080612941ca32e47d3de7bcddc2b0fb57aa2f771009e70ec07cf519f7572195221313c7a3284abe574016ff1656e152f141ed83be98d2f89
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUpRbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe

Executes dropped EXE 2 IoCs

pid	Process
3280	ecadob.exe
4996	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUA\\xdobloc.exe"	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid86\\optidevsys.exe"	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe
3280	ecadob.exe
3280	ecadob.exe
4996	xdobloc.exe
4996	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3280	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	88
PID 1060 wrote to memory of 3280	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	88
PID 1060 wrote to memory of 3280	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	88
PID 1060 wrote to memory of 4996	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	89
PID 1060 wrote to memory of 4996	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	89
PID 1060 wrote to memory of 4996	1060	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	89

C:\Users\Admin\AppData\Local\Temp\5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
"C:\Users\Admin\AppData\Local\Temp\5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\IntelprocUA\xdobloc.exe
  C:\IntelprocUA\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUA\xdobloc.exe

Filesize
3.1MB

MD5
217469dfb5a8d40148e87a937d0d643e

SHA1
29a3452111f4fd38eb47ca798f72168f8e1cd56e

SHA256
c3aa08d0e63cd63daaafcc96337728af38639d8e9f518344b91e61b778ad3303

SHA512
b11290063238e5967c0fbf0b5bfdba5ca7958935ea520ac2e5c44352464ef812cfa9c89588cf7915ef8f876e41c37c9091abfaa6e160866a7b06f4693d465d04

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
d9e3afa02c7ebe096784ec78111dfdc2

SHA1
4d99c52f602456bdd69abd0fef3372ef4a3cb6db

SHA256
41ebfe8270605a48da6e73ed0502ec871445d2dbffe81f067d02b0649c37292f

SHA512
5b34b4a127e28bce215a8181afdc2461704644526e01297347fff3a0cf05f1740955f4f47fe0225dd68fe61e1110aea23333fa015d79b928d49c24c1d53e778d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
c701874ccd3ef7bf651f2cbe39b6e95d

SHA1
cc22e2078256243dc059774b41ea2cc46443c3ff

SHA256
c991eb5e1e0f635fea144667144aa384a8312eadfec70bb14c08ad405a97f879

SHA512
fafd0a23547ea5e6066171167c49c1cf19e8b3488f781cad02b1958a7bd5955508d32dddb6122f14e30f47c510c715941be070bf374ce5640dc404392dafb6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.1MB

MD5
efa8158c8836de3269ab972d073fe0b8

SHA1
e04a0f71d5f7d77caac73831b1c8cbd5e0c5115f

SHA256
6c58ecabb6a8a958909142b657b53ddef53607637309b9e1c478b088cd9e175c

SHA512
ebc3d0dbb4807c67be56f955d79887994e4ac56a5a4cee1268b8d426088ee91ff144e6e255e46afddd814b1c4c381b13b80c0c61d34c4915c203827b5e767551

Download Submit
C:\Vid86\optidevsys.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\Vid86\optidevsys.exe

Filesize
3.1MB

MD5
d31202f6a7689cf55b7b1b3736ee2237

SHA1
bcc0bba212a3b59843b6cb3a61553b5121ad2fbd

SHA256
64f92aa06b8ee02e054ee4f4a26ddfa4781730ba667c7b2954379e1119ec4b98

SHA512
47dfc26ec2df29bbcc637e320a949816609703994b5d91c405f2f6411600f1181a08eca4dcdd3f70b4712388f235c75d022dbef692564e0aa72d3587c48e9848

Download Submit