5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda

Analysis

max time kernel
119s
max time network
20s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39e98716029fad9961399c48c93dc20N.exe
Size

2.6MB
MD5

b39e98716029fad9961399c48c93dc20
SHA1

7863d214700f1dd6b8cb1b44fc2171a7e4f22771
SHA256

5a5278a67eac531f9b6c27e2410bf8c008ac9f5204672ec24862312b2d7a5dda
SHA512

e15b771de1629f9d532d2c33678f28af2c87e6aa66f7ce8156dab3d882114ae87eb229f4a962e0314cabea67798a42999c26fc1962b63d67d3d31e0c16198435
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpcb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	b39e98716029fad9961399c48c93dc20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	ecxopti.exe
2684	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	b39e98716029fad9961399c48c93dc20N.exe
2252	b39e98716029fad9961399c48c93dc20N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4H\\devdobec.exe"	b39e98716029fad9961399c48c93dc20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax60\\optixsys.exe"	b39e98716029fad9961399c48c93dc20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b39e98716029fad9961399c48c93dc20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	b39e98716029fad9961399c48c93dc20N.exe
2252	b39e98716029fad9961399c48c93dc20N.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe
2780	ecxopti.exe
2684	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2780	2252	b39e98716029fad9961399c48c93dc20N.exe	30
PID 2252 wrote to memory of 2780	2252	b39e98716029fad9961399c48c93dc20N.exe	30
PID 2252 wrote to memory of 2780	2252	b39e98716029fad9961399c48c93dc20N.exe	30
PID 2252 wrote to memory of 2780	2252	b39e98716029fad9961399c48c93dc20N.exe	30
PID 2252 wrote to memory of 2684	2252	b39e98716029fad9961399c48c93dc20N.exe	31
PID 2252 wrote to memory of 2684	2252	b39e98716029fad9961399c48c93dc20N.exe	31
PID 2252 wrote to memory of 2684	2252	b39e98716029fad9961399c48c93dc20N.exe	31
PID 2252 wrote to memory of 2684	2252	b39e98716029fad9961399c48c93dc20N.exe	31

C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe
"C:\Users\Admin\AppData\Local\Temp\b39e98716029fad9961399c48c93dc20N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\UserDot4H\devdobec.exe
  C:\UserDot4H\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax60\optixsys.exe

Filesize
2.6MB

MD5
415da4969c078e715a2f88104d139009

SHA1
622d67eef4d975a0f69b1f61f41555816cfdd4e5

SHA256
b0c29d075cfc6f02fe4ac023f01164f9b39cc17d3d0d6904d952800ef5e9f955

SHA512
b00314a6a3e3e1d2581fe302dc60874e0ee73dabe9c526a33a097754963661b2f935fd90f0e23578a37d9ac1b1804caa785c4888082ac16a11549f49bbf43ef7

Download Submit
C:\Galax60\optixsys.exe

Filesize
12KB

MD5
5ce46de9d1c8ab23eeb8a98bb0b2232e

SHA1
eb2b026ffaf5a7802065fa5971c5c4495fa6763a

SHA256
0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

SHA512
173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

Download Submit
C:\UserDot4H\devdobec.exe

Filesize
2.6MB

MD5
5e4ea8ad62671a441012f17ad7364084

SHA1
337c583f1b33cb2f4abbb5563b3b77b4cd777b4a

SHA256
3e16e12db56d7c534e023f09308748765067a7a7e9cd0e120dcf43bf04680b24

SHA512
47607f9991cabc67cd197cfc92154b08bc7f53a60575e6caa6650e500b645bbd716858ed820c040fe77771e369bade8c9341f3acb179a76e01ad48ccc57ceb52

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
520773fc57364512e25f4f1837dd51c1

SHA1
0bad45f3f6ece11b74343a30fdd6653b3c70f741

SHA256
4722bb7d0073b78a02a85f476117e3eff3ae0d20359196d47ac045b4a22a6063

SHA512
e87f68c8895a38015eccfaa84a692afe8dab2663a9ce1f27e5ce9b71a125917ee3fe9a4605481e23ab32de079cd45f11007715c3e8a2e41f2423b6c9e1230cee

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e0015b7eabc7db1e592f9e1297c1382a

SHA1
0e5eb3af703b1a38609156f4726bf5f41ab0c958

SHA256
7848eda5c748d6f752b9447e995820d36f94f680e1efed02b5067ba25b8984a1

SHA512
c6aa4cc8f48768c1edac57041dfbfb6a079a46f11a1eb911edddeee3d8208c4a97376da48f2cc172c3c2d6afd46486888990b29dbe2038cf497da957dce00d3f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
102ba695a133f5d0129c669a68c7657a

SHA1
feede22501cd618835bfa40e5887b502044cc6ba

SHA256
1dbbf02cf2c410469b6cd81ee8311a46840daf47a27edcc13d9d2d351845894f

SHA512
22f3ec7661ec1a960403a3a7e5faf639942a281041557c28bd7383dd60d08d0df3b301eaab0ef9ba85f13af2df0b36222aab39183898c7e96e685a7760446119

Download Submit