065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 18:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
Size

2.6MB
MD5

5189e70ccd4488c43d449354083fc5f9
SHA1

3bb31f8548ae7e53eefc22653fadfc9cc9d6c679
SHA256

065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f
SHA512

020fea7991708ae2967dbf2268174b3ed8b35c58906a21416302c7b7788c6db40f7756dca50715792e52ee8ef9335849d4800a37c851042ab1ce6e10d857bae8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp/b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe

Executes dropped EXE 2 IoCs

pid	Process
1128	ecdevdob.exe
4180	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC2\\xbodec.exe"	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNK\\optiaec.exe"	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe
1128	ecdevdob.exe
1128	ecdevdob.exe
4180	xbodec.exe
4180	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1128	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	88
PID 3348 wrote to memory of 1128	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	88
PID 3348 wrote to memory of 1128	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	88
PID 3348 wrote to memory of 4180	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	89
PID 3348 wrote to memory of 4180	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	89
PID 3348 wrote to memory of 4180	3348	065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe	89

C:\Users\Admin\AppData\Local\Temp\065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe
"C:\Users\Admin\AppData\Local\Temp\065d059a9d136fb38f7cf6a8b982a11d728695e45de7faf3efb77ab310d65e4f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\AdobeC2\xbodec.exe
  C:\AdobeC2\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC2\xbodec.exe

Filesize
160KB

MD5
726955c1a69f16ff4499befc01a68488

SHA1
9ceffa1fc28c8054de0e62e6fbd85eec608921e7

SHA256
b2b22e3bde5c7864de709919b5abcf6a1f2d46b2920e614a643eeb286f9d991f

SHA512
ddea6afcdad889fc3545b027b417b09c01da954ffacaaa72691fb09570fd9c6f7d8019711c6e0af12ba9a57df659f97f7fdac9647a88f09375a5ecb44818ca5f

Download Submit
C:\AdobeC2\xbodec.exe

Filesize
2.6MB

MD5
a960f6045250fbc521d74faad0b5d029

SHA1
bbb2249235b33eeedcd80d36db64b9d9e08fec81

SHA256
8c3500411cbedd8335c9fd408a592f0f2b597a5e05332e8e12531ba15c41485a

SHA512
eb37aa1b20e02435702a8b7f6a74740c7878296954d71ec02651a2fc0a0950e7adccb1813132a2f418df4d8a66a0a8f44481e423a9ab2ad65afb01d7d403e762

Download Submit
C:\MintNK\optiaec.exe

Filesize
2.6MB

MD5
483460362f736367448b09869f5b0fdf

SHA1
b3e69a36a30e4882a54e8cb56ad408191db234f0

SHA256
46500b011b1f069cd00c4863b0198bd109123e97c3e5f118eba79bf5c68b841b

SHA512
7901b2f84e56e17f7f7f25c2b31a15420f07bdd259de8a3f03c4e596316bfc97ae361ebcefc8077476167d44b3d8c788dcf227f31c0d8809ff9849fe49ae8508

Download Submit
C:\MintNK\optiaec.exe

Filesize
2.6MB

MD5
a684a9abb528a16aa49aaf46ec1dab55

SHA1
2324e0e6ab2c23a32f53f3e1e862cdcafb44f4be

SHA256
37e9ea9bfea1533a915f32ad59820fda98206d94d175697040a046170b9bffc4

SHA512
d801a72318edae363d38756154a982aebfdf1b4300687022d0a8ec3a30bc2c791dd2f0c5730f3aa4bac945ba27f7ca3c19f5dd55ee91b96c563f17786b42fe2f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
723f6dc5eeec2334d090bb97adf4ff0f

SHA1
5915f65d2c6c1b3a0bcd0c8d0cee4d38b1fff772

SHA256
52470093692decc26f63113d36205f2a6a268d035151153bb12fec8b8e4de787

SHA512
15bbb61b9a3af5a65df5850d3fd62baec9eca30e51dfc7fabe9f265a4aad72e16ff3e4f580c66110474388a595bad7c48104e1c25ce9cba5fb4ded271081569a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
2c281ae08d79a85bfd9822aab8802453

SHA1
cc9b5052c70260e8489025598ba1cd4d9783e21f

SHA256
23d1030fe8da8f1cb490588ea5c97447fb0ea845d25758b1e1b5e64ef1c29bb7

SHA512
4ed599c0e74c3dee7185792f62692ee0a599c2c1be6f37094554942f155cd3b22ad5cbf8a058a8d7bc05aa9ce6519052a3672cee339af98d41bf03b0103ebd17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
b279a61715817fdd4ed41a66de2d4fae

SHA1
0a7692e18f5c2f05f3168888ab44cb4d257c7a1e

SHA256
e86efd40562f2425e88e38321b13c120534ee9a47cc709ff139852eda5bfab88

SHA512
3d7aa42c66ee896c6401b0cda8dac5aa46e22bdb29c50cb49bc16dd8433fe847e0051c0153a2337973f33ca53347d90b7e84036b082d2455de1ebd9a14a4f3f8

Download Submit