0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
Size

2.6MB
MD5

a093e214c0b79f0246c4b0f463e4f030
SHA1

ea13991bd34d20fcbaabd59e620787ff8ba05771
SHA256

0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3
SHA512

a0f4fc281c8b8abe3eb82639c51c28ae3046e309446381574076f83ddd6b3013df66db3a370ffb99d39f856c0d7447bf4c9b4f27b340ec6c3e2b538590664437
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bS:sxX7QnxrloE5dpUpVb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	ecxbod.exe
2620	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8M\\xdobsys.exe"	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNH\\optidevec.exe"	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe
1748	ecxbod.exe
2620	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1748	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	29
PID 592 wrote to memory of 1748	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	29
PID 592 wrote to memory of 1748	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	29
PID 592 wrote to memory of 1748	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	29
PID 592 wrote to memory of 2620	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	30
PID 592 wrote to memory of 2620	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	30
PID 592 wrote to memory of 2620	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	30
PID 592 wrote to memory of 2620	592	0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe	30

C:\Users\Admin\AppData\Local\Temp\0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe
"C:\Users\Admin\AppData\Local\Temp\0ccc3411772b03a548c82d7c6ee14f3746b3dfee8d20ca7584a7b14c8e91f1f3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Adobe8M\xdobsys.exe
  C:\Adobe8M\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8M\xdobsys.exe

Filesize
2.6MB

MD5
8a803615998e819a0445cf45551a860e

SHA1
e252a7e1dd571806e88b7c13eade52e447ec7b7e

SHA256
092eb70df83ea9c2852eecfa98a7e39eab568a9f39dcd9d3b0d1bc50666fb72a

SHA512
726e40ec0f4e90f254061844641d94d3c5e67a31e1672a8eea3908566647c0c444ab0918811b6fa613b4e6509e51c57e286ee98deb4c63390635ed407fc387d2

Download Submit
C:\GalaxNH\optidevec.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit
C:\GalaxNH\optidevec.exe

Filesize
2.6MB

MD5
0670c1322ab4a19c1cfbea64dcebb288

SHA1
c24ded276b5aa841697fad3b0a9a9bde0441f5b5

SHA256
b38fca292502c71c2684667f5422fec6f6363caca1a705e38260289764da7d8b

SHA512
c4ec8db6c69d993f8364b5e183aa69bee281caef3ab396cb3e71332a15ae65f91dabc4d3d7441302a594066a164ab60161fe9ecc7a1529d742ed302821319b75

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
3fd9144c61734edeefa3bd8f02f61818

SHA1
4ba11bf6755fdb8854834d7166c90693cd4da6a0

SHA256
97faea7e7bad4decdea2fe0464ea6eb4caf7ead66ab8ea9a05d2649846c31c7e

SHA512
8aa8aa39a2a7828151b5d74bbfda19c045f17a9234ba9480eb789a7bfe465e8537f91be55cfd5ed15a4b5d4399a45ad72cc2d0a4366c82a876892b0064af0745

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
14d2f36d0d9e02417219a4b306d41b12

SHA1
a01eb034f824ef339b8676a646abdec3c749ad81

SHA256
5c482f99590faff9050aa2f44b14467105a2af10f98ab048392fb59da657abb7

SHA512
9658469298a7eace906280780290803bc698218558c12d9527e8d6c1033f645078e334ffd0d9081ef7a3b37e3e083db59558504776d17cf42f82ab24ae935c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
f8e948b66cbe5cc6ca32083e8706d81f

SHA1
8f7d495b5f44e04db2a2379c2eebebcfbe57c9b8

SHA256
7965e4d7f8b88fc47e29e724f2103407685abafb0b1dd1f331b11ae69e4472ac

SHA512
5e1348b407311eb87ead11413e322f2bc0822b986321534fc28d4cd884207f8c21e0d8970bcc41985e8728d251a64c4bf3326e0abdf19ff790c4ccdc5e369680

Download Submit