e5919bbb92b9cc4a8bd1de4c08f59e5a79cadee94cce8f16bac9749ef46e5600

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6bc5e41e750fedb8d224656c11763930N.exe
Size

2.6MB
MD5

6bc5e41e750fedb8d224656c11763930
SHA1

d78c8e56a7b6dc2febd2e35666890f39194d8921
SHA256

e5919bbb92b9cc4a8bd1de4c08f59e5a79cadee94cce8f16bac9749ef46e5600
SHA512

60928e9e7303d2a27ff76af0927fd6f70c11ba13877f79d6edbd558ae4a9156fc81fa0ce1ee3866e78a3e0bd4b6765645a64fee83c39a3c9da2ed5f6df1ab8e3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpob

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	6bc5e41e750fedb8d224656c11763930N.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	ecadob.exe
2636	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	6bc5e41e750fedb8d224656c11763930N.exe
2876	6bc5e41e750fedb8d224656c11763930N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWH\\devbodloc.exe"	6bc5e41e750fedb8d224656c11763930N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1T\\optixloc.exe"	6bc5e41e750fedb8d224656c11763930N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bc5e41e750fedb8d224656c11763930N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	6bc5e41e750fedb8d224656c11763930N.exe
2876	6bc5e41e750fedb8d224656c11763930N.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe
2728	ecadob.exe
2636	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2728	2876	6bc5e41e750fedb8d224656c11763930N.exe	30
PID 2876 wrote to memory of 2728	2876	6bc5e41e750fedb8d224656c11763930N.exe	30
PID 2876 wrote to memory of 2728	2876	6bc5e41e750fedb8d224656c11763930N.exe	30
PID 2876 wrote to memory of 2728	2876	6bc5e41e750fedb8d224656c11763930N.exe	30
PID 2876 wrote to memory of 2636	2876	6bc5e41e750fedb8d224656c11763930N.exe	31
PID 2876 wrote to memory of 2636	2876	6bc5e41e750fedb8d224656c11763930N.exe	31
PID 2876 wrote to memory of 2636	2876	6bc5e41e750fedb8d224656c11763930N.exe	31
PID 2876 wrote to memory of 2636	2876	6bc5e41e750fedb8d224656c11763930N.exe	31

C:\Users\Admin\AppData\Local\Temp\6bc5e41e750fedb8d224656c11763930N.exe
"C:\Users\Admin\AppData\Local\Temp\6bc5e41e750fedb8d224656c11763930N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\UserDotWH\devbodloc.exe
  C:\UserDotWH\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1T\optixloc.exe

Filesize
2.6MB

MD5
fa02538f6848bae651c2e95f9b508209

SHA1
5b645717a68f8a0bf1a6c3b39fc840f1c475cbda

SHA256
f9a04c3792ddc41fd5d7df68bc1d80fbf95ace61591b628ee12010f7bcfc3fb0

SHA512
bca1cbff222bcb2fc331de52ad170b88225d09cfa4c0d7971adca453381e19c33f41315f2f652f0a9d19fe5dd4bd52d6097eb2a8fc71804c8b4d55a74abf19c7

Download Submit
C:\LabZ1T\optixloc.exe

Filesize
2.6MB

MD5
74c8857a3a7b225c8fc2900ad4a7874b

SHA1
7ad3c7ea8986d689e1260e9fa78c53ae779e17a4

SHA256
7658816e42b4195f1a1fb02323e8b617878a08b27e8a9396664fb1db8c2427c6

SHA512
8349bbeeb944152a1c37d8d0839a1d1366647419cbcd00e48b66cf58e88868aeff3b9cb8063b16f2021de6d1fd83c252efaa7319aec7c88c136b52be3538df43

Download Submit
C:\UserDotWH\devbodloc.exe

Filesize
2.6MB

MD5
da454d7264aaeda893d0f416ebbe909b

SHA1
e8a99f39b91d31fed95fe3673de373fef3365afb

SHA256
82b623f9584a1c069c0d51d40eefc805aa0608acfe29ec0c99b2401473df5d84

SHA512
53450afebc67bf7b104639b16dfcbf9498b08097dd2957bd09d961fb850b69290ca6cd9254c28fef7a9018e22185cc740b5e0d8427b53f220403828ffe2acb37

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
f2b5204908166bd5fac9c3f0a4652d99

SHA1
348627afede667df3d9912c1d32a1e4d8e2e5ea9

SHA256
a8fb010ee263c2283288de2fb61ccf9f893398f14028795f5ca3b8bdc9c8f3c4

SHA512
133494d5003e6b946de1d2354c548575f2b509c1b6e7c9483cbd459cd8498e2b466997eb0d27984b1d585331818297e512359ac7c5c2476ac9e5ecd9eabe707b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
e9d2b7ce83d7b949cc81877e69850977

SHA1
53f0a040ebaf3d5621c8ff0af5e1b1e24fed4f37

SHA256
507162cce566e1f5c2281f5e72ec4d7d7ca29d202dea149187ced497a278f586

SHA512
415e1fe6ff7679e68c3ee75351540c06c19d1ccc462b9fc65b429dae75b03d83043b881abc860c2e6c8402194bf42c24b40c7e76c605250bf4f3a2bd86b7df00

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
ccef09da51ef93d2d534e89341ba37e5

SHA1
8c88f37681d6e633faf862ab08be7458d9a0e09a

SHA256
4252cdff6f2af3ab9a94655628154d9185871f02ee5c2574c7935fcec653b990

SHA512
205e9addc7de83486159ad07eb4fe1c362e927ad340095091efef52117c2a111b98a26bd6e0da6544663855ed022493a62ae913ff890d4876249c153ba7c409b

Download Submit