1c38b2cf0a7635d6c45266f4162b5998ec4ba603aa7369e9f9c50d26c042c068

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9348b4763b3d3689fbbae831b325a060N.exe
Size

2.6MB
MD5

9348b4763b3d3689fbbae831b325a060
SHA1

6108214238f5a1cb7894a5604522e64187dd90b7
SHA256

1c38b2cf0a7635d6c45266f4162b5998ec4ba603aa7369e9f9c50d26c042c068
SHA512

1dcd1aca28dcbd17da2476688ad6410e086423c9926452d710a8a81d8af98257d903228b298db21735145cced8feb46ba76dc8be3190411990b1c33f03ec245e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpQb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	9348b4763b3d3689fbbae831b325a060N.exe

Executes dropped EXE 2 IoCs

pid	Process
2112	ecxbod.exe
1112	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBI\\devdobsys.exe"	9348b4763b3d3689fbbae831b325a060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJC\\optiasys.exe"	9348b4763b3d3689fbbae831b325a060N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9348b4763b3d3689fbbae831b325a060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	9348b4763b3d3689fbbae831b325a060N.exe
4908	9348b4763b3d3689fbbae831b325a060N.exe
4908	9348b4763b3d3689fbbae831b325a060N.exe
4908	9348b4763b3d3689fbbae831b325a060N.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe
2112	ecxbod.exe
2112	ecxbod.exe
1112	devdobsys.exe
1112	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2112	4908	9348b4763b3d3689fbbae831b325a060N.exe	86
PID 4908 wrote to memory of 2112	4908	9348b4763b3d3689fbbae831b325a060N.exe	86
PID 4908 wrote to memory of 2112	4908	9348b4763b3d3689fbbae831b325a060N.exe	86
PID 4908 wrote to memory of 1112	4908	9348b4763b3d3689fbbae831b325a060N.exe	89
PID 4908 wrote to memory of 1112	4908	9348b4763b3d3689fbbae831b325a060N.exe	89
PID 4908 wrote to memory of 1112	4908	9348b4763b3d3689fbbae831b325a060N.exe	89

C:\Users\Admin\AppData\Local\Temp\9348b4763b3d3689fbbae831b325a060N.exe
"C:\Users\Admin\AppData\Local\Temp\9348b4763b3d3689fbbae831b325a060N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\UserDotBI\devdobsys.exe
  C:\UserDotBI\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBJC\optiasys.exe

Filesize
2.6MB

MD5
000a35562ecde24616a84a8db5491962

SHA1
2a763d8ff51c875be40f1c1fee65463d8c050f08

SHA256
51df1ee1c2d45597b60be17df46b9cdb8bb0d93df428cb12691aea3395aa5813

SHA512
fb750e71c3374fb909b515b79be24ee1aaf909c9810efeb02ec067efd3937a304f2b45571b8ac3dba01c3b7476beeda067f4d81207c8f0d05b37748d71f223a9

Download Submit
C:\KaVBJC\optiasys.exe

Filesize
5KB

MD5
b1bff5461f6eccee15bc13b90b862c37

SHA1
9b68b3e8bd60c2c4b00d1ff961e9c20b00350466

SHA256
31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498

SHA512
fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0

Download Submit
C:\UserDotBI\devdobsys.exe

Filesize
2.6MB

MD5
21e3e331b1398bec120a6ae9db002af3

SHA1
ec853fb74713737e60d367ca18b81f98162bfb02

SHA256
635fe12783f9b2118e9fc5bc0c77e6bc3054a107250fed3b67abf4aca6b34f93

SHA512
c135ee6d6e152ff81d2b95a5de967a36a1abad05f8d3e583cf68d3eb8481a017642b9c5d616b571869b7da0ba6136a3a0aee774c86db3e7a297b98a0a867b0ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fff2ec1bb85b99165ab93cb4bc014381

SHA1
43d2b4a6220c6f9341e00180c42e0f1d8e6a47b8

SHA256
a96e8a1018627cb49a0c44feb13959dfda1e008f5538f07fdf9e9bde8c3c2aa8

SHA512
38737678e8e8f6797b869751ac58959ea9d672ccaae5a973737f5cc4df03eb74612a658523e82c44c414ed7a38da703b16cf28c2d8304a6990c6b2189564906b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
43f9a41bb57f40a33586907a6d8a69da

SHA1
8af774f9476a8361a88bc5762be1a8a4cf47c4b7

SHA256
324780345d612ecfa4d0d514ac75e8794d6d4b4f288b916a2d4946a55e6dfd11

SHA512
3abb8841129de610f755084fa29c88e9e54e9d3dd0174f419ca2849ec352f2fb16e11a155208012b5ccb28edad95b56f46bae2061c0e0756971b39968d797362

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
3c29714b1607531d5dc24986ff5e247e

SHA1
7fbde8a527678414526fd2e7bcf14258b505176c

SHA256
2861de84f4cb98d9a1b93d999f30b389ec2daa6558f1ea3f45d19b1dd2c5d677

SHA512
2652abcf18a55cbba70f9408f8ab940d703f43d7b3db483eabca512ed4576e9aec1ce78ec37b50bc40a46914bd8dc53c07b5155dd4161c1b0b2544201d569067

Download Submit