d85431324f54bbb738adb8b80575fbbb316c2cdfb1b90ab66b8715f667bf5416

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba9b06bd419a49520c18f9e14d1152f0N.exe
Size

2.6MB
MD5

ba9b06bd419a49520c18f9e14d1152f0
SHA1

fa32ea0e4ee0677fbc667ed918cad511e873def1
SHA256

d85431324f54bbb738adb8b80575fbbb316c2cdfb1b90ab66b8715f667bf5416
SHA512

6e5d4b6dd2d38dc256806adb8a7cea38405cd85c64ca03b020cabdc7d5a8512d9dd27f988897004605087e12bf3ff9c7e80405496d5ec8936d69e24374c5538b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpqb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	ba9b06bd419a49520c18f9e14d1152f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	ecxopti.exe
2696	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	ba9b06bd419a49520c18f9e14d1152f0N.exe
2632	ba9b06bd419a49520c18f9e14d1152f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVV\\devbodsys.exe"	ba9b06bd419a49520c18f9e14d1152f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5O\\dobaec.exe"	ba9b06bd419a49520c18f9e14d1152f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba9b06bd419a49520c18f9e14d1152f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	ba9b06bd419a49520c18f9e14d1152f0N.exe
2632	ba9b06bd419a49520c18f9e14d1152f0N.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2688	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	30
PID 2632 wrote to memory of 2688	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	30
PID 2632 wrote to memory of 2688	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	30
PID 2632 wrote to memory of 2688	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	30
PID 2632 wrote to memory of 2696	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	31
PID 2632 wrote to memory of 2696	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	31
PID 2632 wrote to memory of 2696	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	31
PID 2632 wrote to memory of 2696	2632	ba9b06bd419a49520c18f9e14d1152f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\ba9b06bd419a49520c18f9e14d1152f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba9b06bd419a49520c18f9e14d1152f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\IntelprocVV\devbodsys.exe
  C:\IntelprocVV\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVV\devbodsys.exe

Filesize
2.6MB

MD5
cf30a47e951a1fb2a05a51e22c34eaf3

SHA1
fd0f4eda02dd4aa068c2642552c87549c482aa0c

SHA256
effb8addb932d638d1cdae0d51b688321244f954d469796b2bdd06d74d272284

SHA512
7477e43a9bb10090975517fcb25cb90a18c04129f9fa0112cc949420662efb2f006cfe6bb94d9e92e9f552d2b4f8194b2bb5e05a77df1ad1100bb65c64ca40a5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
660e68eadc8f79865030763484352986

SHA1
9257ab9fa536725e0a6f577e97d61beb93108942

SHA256
a2f84d4e8b3bceba250bbb31028c1cb0cc4fbd77afb0b70c4fabd2c9bc7b7a2d

SHA512
dd6e8505cdcdffd2787501dc4b73018771d71d116bdb54e699043b4c2e7176961025085be8891dae26fc48875c72cefd2e8106ca5aae700cbfcf9569b0f5a0e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
92aa3ac237f4a57ecf92c61253929cb8

SHA1
e1214f9fd3de302e5c7bbed5faf81defdcd9118c

SHA256
1d9b77c33ee6fcc271769051a4a419ac8bd7d61ed06f071698f9f3d7df7a64bd

SHA512
a6c7b986507ae1661b302c4aa2aa8e892263af1eb06064800d530af8bc089ea04ea445d5c17fbd1cef49be5f7d142a7ace003bd6da4afb4995b7d24e7a388434

Download Submit
C:\Vid5O\dobaec.exe

Filesize
2.6MB

MD5
642114ea17708d2c197ac8eb81d0d67c

SHA1
f2843a761f7bdd852a12996340bb8a54266c41d7

SHA256
2478dbb8d7d5a19a397848fb9807ff5499df6eb86fc830913abb194fc1c5c77a

SHA512
186b1c9d52f30f99a1e0d7b47d93ee60d3aaaeb492dd21304db41e8c0b4775b8be7fbb46588d5899e9857d7df65c7c1d0f45585a85b2d5766c99d04add13b2f2

Download Submit
C:\Vid5O\dobaec.exe

Filesize
2.6MB

MD5
76f9a95299e70874c6f5e1aad73beb47

SHA1
34ae6913ccb8f5172738a13f758b305908944cc3

SHA256
2d06b734c0a8f59459441f4029e9da1449475db8fb7628450f7517ed23eac8df

SHA512
cbb768bee1351aefd181b78ac0d324c80926c665734828dc62a846d448d64b8f5337bc1715cbf93c80b27f94326c190c4425d08c8fcb993dc9894f8539e000b5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
ec17b2857cc9b88bcb5e8dbafa772011

SHA1
f0ffbf0a4eabdfd958fb2b3dfc0ee3cfe482cb0c

SHA256
577d748ad7e2c2468f3446780d60c934a8182d644708331c0d672875310d10bd

SHA512
37e6c2e7c2cfe8dee0edeb0d5a3aa6138da514f8499f000de2398efb49b125af599c3ae73494f64269aa61c27c5b650816fc65fad7a98a674d67e8f32f0fb7eb

Download Submit