70ffdce5ed303ede96564a5ab3c1d2038ff79e3242efe1ad145c26ed1ef3b096

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4857ad29af6143966e55f3b8d6f3f80N.exe
Size

3.0MB
MD5

f4857ad29af6143966e55f3b8d6f3f80
SHA1

35fad28877f91a081ceb25885c1ed7165eb832ef
SHA256

70ffdce5ed303ede96564a5ab3c1d2038ff79e3242efe1ad145c26ed1ef3b096
SHA512

7139b3eea6c79ba9cb1ef4e80421ddb1739b7b18411cb6dffe9bdac36cb500c0fe26b74668a86e6a23739c99feeb0affd6e7d73ed7aaa9e0a6bbd4505f554f5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	f4857ad29af6143966e55f3b8d6f3f80N.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	ecxdob.exe
2360	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1924	f4857ad29af6143966e55f3b8d6f3f80N.exe
1924	f4857ad29af6143966e55f3b8d6f3f80N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA8\\devoptisys.exe"	f4857ad29af6143966e55f3b8d6f3f80N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFV\\bodxec.exe"	f4857ad29af6143966e55f3b8d6f3f80N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4857ad29af6143966e55f3b8d6f3f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	f4857ad29af6143966e55f3b8d6f3f80N.exe
1924	f4857ad29af6143966e55f3b8d6f3f80N.exe
2884	ecxdob.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe
2360	devoptisys.exe
2884	ecxdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2884	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	30
PID 1924 wrote to memory of 2884	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	30
PID 1924 wrote to memory of 2884	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	30
PID 1924 wrote to memory of 2884	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	30
PID 1924 wrote to memory of 2360	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	31
PID 1924 wrote to memory of 2360	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	31
PID 1924 wrote to memory of 2360	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	31
PID 1924 wrote to memory of 2360	1924	f4857ad29af6143966e55f3b8d6f3f80N.exe	31

C:\Users\Admin\AppData\Local\Temp\f4857ad29af6143966e55f3b8d6f3f80N.exe
"C:\Users\Admin\AppData\Local\Temp\f4857ad29af6143966e55f3b8d6f3f80N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\IntelprocA8\devoptisys.exe
  C:\IntelprocA8\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocA8\devoptisys.exe

Filesize
3.0MB

MD5
689feb1ec1a8f05d3a7d29c51dfcd9ba

SHA1
efac5b12dde4da52255f6719af09c034785eb906

SHA256
3cf61dc92fa3529732df2aeee0de3b343ba5d6a5c35aa8bd3c2ca58f8a144f05

SHA512
03186a7b1901374d0de8a20f0dc7919b3dbd9ed936f5f838b945fb1a6289b6209db961f6e6c376d62001d96d573d3ced6788be025452259a2419688797260761

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
f8c64891a780c35ac408caeda8a836bd

SHA1
15acf9a97d0c57ddfaf4c6409beb6baedceed246

SHA256
2e5f6ad2164f9c3c3ecc0382e40f3e62d88368e1da5d2274750516ec13e05d54

SHA512
a37395c43fcc58c5eb23c974db09a58c9c56839fc7e13824a7809b4eb634f68bf3badd9c7c48e8909cf856b380cf20ea39d280d55c1732b77a0084523e26dbbf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0b2226455d29eda344b520ea268dee77

SHA1
ce260c9825d2dc8dfccd33776afaf9ebb25c4897

SHA256
d0ebd93e6161e4f199f27a37a16ae8304d42367a9a253fbb1d38f674329a0555

SHA512
68dfc204edbcba7cfe287075d03e19a0959bda92a879edc95b18de8e9be841d13f7807bb5ff5959fc70f5d7129bec280082cca51fe524e4ab93b75a237e30c08

Download Submit
C:\VidFV\bodxec.exe

Filesize
3.0MB

MD5
c9e219ad3760c9d6c065ce9f189e160a

SHA1
c3ef003cb796fefb5b65aba27f63c92f388e80a5

SHA256
dd7d8e58a85e79b3780d8b5a12f9e571d68a520aece1d9ed9b8705d643bc5190

SHA512
5dba7a406dc3d553a00f7698cee9aaba01dac6597d75081a56aa4e8055093a623a286000c6977ef37d0541621792e585e474f5a4c3cbc622d5738f7083c425c3

Download Submit
C:\VidFV\bodxec.exe

Filesize
3.0MB

MD5
30ce4da8a9379482da25eb10888e0e54

SHA1
0df25b4ef4d31ed8e1370f753c714d1322af7f00

SHA256
d0e546ea5e2fa9309e84b39f28ed26402a24c1e2d05f2c9c0b3578ebd7631f9f

SHA512
31afac03835338464977f9e93b4a04525643514463e36d3cc5695a1609d0c6d81ee763576977844e075589d0a49eee901e7a8231f8e80a5f64a283764a8e6419

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.0MB

MD5
757d3e0dd777116f528e4b9a6838dd2a

SHA1
fbc269af57ff17c414e46b14e8ccef5299718642

SHA256
9ad6d7b0b93d0937d9ddd3066b079b610bbef2a7c8f641ce539cd883653a60ee

SHA512
219516cf98af59c7539ceed0936b1ac6333a6543f70fdff8b5696c9e1f7aa00f84bd5e1c68b020dab584f5ce2d8e222e23c0771a4e08176e60083586b5e4af89

Download Submit