605462499aec72f58acb9fa44400e0a527983a3841583d896dec263f94b9fef1

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbcc0a5058bbe4b43d97f2affeef770N.exe
Size

2.8MB
MD5

cfbcc0a5058bbe4b43d97f2affeef770
SHA1

5c3ea2f2cab84ad6abc4b531ff682213e8630774
SHA256

605462499aec72f58acb9fa44400e0a527983a3841583d896dec263f94b9fef1
SHA512

d3cd2c64bb83ab0deec74dc2023f189b42a19601f2b2e898547b2066dfebea979028516d46bf6e888b7f624e389f051fdb6d6abbbe3c9c13ba640323034eec8c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8:sxX7QnxrloE5dpUpJbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	cfbcc0a5058bbe4b43d97f2affeef770N.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	ecxopti.exe
2356	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe
2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesV6\\abodloc.exe"	cfbcc0a5058bbe4b43d97f2affeef770N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFJ\\optixec.exe"	cfbcc0a5058bbe4b43d97f2affeef770N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfbcc0a5058bbe4b43d97f2affeef770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe
2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe
2928	ecxopti.exe
2356	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2928	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	30
PID 2692 wrote to memory of 2928	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	30
PID 2692 wrote to memory of 2928	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	30
PID 2692 wrote to memory of 2928	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	30
PID 2692 wrote to memory of 2356	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	31
PID 2692 wrote to memory of 2356	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	31
PID 2692 wrote to memory of 2356	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	31
PID 2692 wrote to memory of 2356	2692	cfbcc0a5058bbe4b43d97f2affeef770N.exe	31

C:\Users\Admin\AppData\Local\Temp\cfbcc0a5058bbe4b43d97f2affeef770N.exe
"C:\Users\Admin\AppData\Local\Temp\cfbcc0a5058bbe4b43d97f2affeef770N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\FilesV6\abodloc.exe
  C:\FilesV6\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesV6\abodloc.exe

Filesize
2.8MB

MD5
8233ca6242b23aa7356b27ad39f08604

SHA1
adb18416dd92e7b357ffdbf944aff8e7d3942add

SHA256
9f448d376833ec0c709694556cac34864690b3c81f2957d374301dfdad83aafd

SHA512
537226b5efe40f54092dd541134fed55115f54f919c1c23eb5ea37d2c2416fe8cfc492c27fdaf453eae3875baad9d9f0f28a1c7f62d9e1d1fa690e682f6418b8

Download Submit
C:\LabZFJ\optixec.exe

Filesize
2.8MB

MD5
c257a3597a4dba896e7d44f60d6ef725

SHA1
21f548e97e1c2e26dd4621cfe4b97691bc456b21

SHA256
849735a6362e4d3c4072296776ea55610bae31acb3c1a449ea48e3f661f26fd4

SHA512
028a0284f057de0d9df356944a42c6d3a5b0d21b0e2f62f36809a3d5b780a5dffba2d63d6ba101620417c4abb36123f905e04344598d518a30a82c55c933106d

Download Submit
C:\LabZFJ\optixec.exe

Filesize
2.8MB

MD5
090aaec18f51ffe0bda929d1fbf226a0

SHA1
73dc96bbd943b4f63348881224893e8766669693

SHA256
8b9c79ab32c181393e73de5101c6732cdcadea5a3f7c072f459ff65551e053aa

SHA512
ea80ef799f7b338666d702fb3e8242e5fa118a67ce11f383ee77b92d3191d6398bd34e24974eda090dca9019fd87dd6083469d79413898ba647e2572f1ca6dd3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
0f8b5e78e4cb1dbca17b0f5aabe3301b

SHA1
bdcd91496e82553903377084ff9edb2aaf2cc92e

SHA256
aa58752b54038ef38f440ee52cd420a4a3d68ec34652ab902925586a29c4ee46

SHA512
8b64a2690f23826e3d1c7b22b9b216b83dbb406b4dd53948f9cc87fd6f4e4f71f599706298471855185a6607d34b56ad45fb0a2f0dd187f0d6fc2386463ba451

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
d8bf0fb4f71d976aa987fbfadcd7bf8b

SHA1
53806108b883a72a612f0ea3bc4fb45c28d22e38

SHA256
b8cddcc67ba7d7840c04678fc6286c8ca90422b9091a7f0d147beb5d38ffadfe

SHA512
7b57d9875137d1e2f207cd585e6fca1841b5669c16540dfc76a6ad4d5ebf10ade4c87538294fd21a0931187acd6c07e8173e2473cb30f0e5967aa60a2d26c7f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.8MB

MD5
fd383ed0f2d8ad42f2a7a302116c54ad

SHA1
889928e95454b32b91a0c68cb41cf164579581fd

SHA256
0e84a3652d1c9bb3d26004fc83541b272c9d4a8226bc10726b9459cfc4ea99fc

SHA512
4e76073a37e5ee8a5f19367e4cf7b35235d1426996e23606b4bbf93b1756470fad2184c1aa6ffb4514c2b5f3606ebf6fab0f4bd94bf733f97dcbb58121b0afbe

Download Submit