6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Size

2.6MB
MD5

abafae1dee331923326e1062c9e21a26
SHA1

2f5f722053e6889085d1e6b0ac270dd7d37bb560
SHA256

6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb
SHA512

b5667d92e2f8381e8c3f3fbaca50c11b844488155ab7afea16bb0f4e817edc711cf19ae95a3a25bfe2bfcfff4fb1cc1dcb7fb0d607524d315c14a38940446f82
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	ecxopti.exe
3012	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMF\\optixec.exe"	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVV\\xdobsys.exe"	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe
1244	ecxopti.exe
3012	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1244	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	30
PID 1864 wrote to memory of 1244	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	30
PID 1864 wrote to memory of 1244	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	30
PID 1864 wrote to memory of 1244	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	30
PID 1864 wrote to memory of 3012	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	31
PID 1864 wrote to memory of 3012	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	31
PID 1864 wrote to memory of 3012	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	31
PID 1864 wrote to memory of 3012	1864	6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe	31

C:\Users\Admin\AppData\Local\Temp\6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe
"C:\Users\Admin\AppData\Local\Temp\6d636b00adca163d858e5df82cd38bb0cd0f1ef36232576ea5fe7bb8e4e9adeb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\AdobeVV\xdobsys.exe
  C:\AdobeVV\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeVV\xdobsys.exe

Filesize
2.6MB

MD5
89e94991401f10689fab248a9eaa465b

SHA1
9879a94fc3484d6c349fd74ff3738ed3877fa87e

SHA256
bb9b70c7757c362c58bf13ba19e43879d7b2dfdff180faddac2b18e4365d957b

SHA512
3e6147054dadef86253599acf711a250fee125857b409c59d28d434329a82e7a18bdf1835a4530621043671b77a4cba97898d144414dfe5e4175f19439be7ffd

Download Submit
C:\MintMF\optixec.exe

Filesize
2.1MB

MD5
02f7542067eb3597d32c52ddd8c8e58d

SHA1
44aaaf088a45a29510d0cc7c00ccf6c819c35ae1

SHA256
dedcff3958122c87163dcf2ff58f7ee4586764382ce7ee780a2e3a5b34e01fbf

SHA512
d2e2dacf002bae39727bf9b469f2b8e007abd18230df52b92d6488ca4c8110348b0e908493780d87605c80d73aa602d7a7de98293d1964f8dad8c9be30af92e7

Download Submit
C:\MintMF\optixec.exe

Filesize
2.6MB

MD5
6feef8495324d0e469ae7936bcdd092c

SHA1
4da97d5dc2caeb328da7e5c1b8a532b63ace44ce

SHA256
966a9d376c78b05890aa27055d2a21712ceb0310804a7300d59b3e2fd62a35de

SHA512
51dc0ae715626b5df41cf256c8bab232585e4ffeecd35f16161f2f442f582976e64705a026b34a42bc215304a8318204ad996781462fa04bf2e1e1454f5fd6d6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
5027d7a3b04a96c4905cdfbf2e38d61e

SHA1
e3e3cb6a9c74fc0da8bc8b4f3760da66786a2b61

SHA256
7f96d163eb5cb47c1ea6cdd4dfce6b51d3f104df024f13b9700d93e1ccf89c32

SHA512
51c3dc9c825ceeab919dd6e500de8da35c6024b1d1d334b763811f440cc2ebd92e63db06b4dce7179ef16abff7e885bd00dd643d167d27dab31f532e645562a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
d5caf1124ab31e2552ba6c5d77f92328

SHA1
2fded6f34cbca0f6dd93be141f7b250fb1138805

SHA256
b4221e371a92eacaa0b33e0195e7fe5bdeced808b33595ab6461b8a4387af6dd

SHA512
5313affe05db26e35d761dc79b7f2edbcdd7be1f597c973a8c6258c2dfb57250a0db7bac7520332f3921152daaa9148515f802ad797d61662e9e140ae3678ab7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
b01f64426c7f591e80d348dfbbbeb038

SHA1
9f004b017d0255725559e4d04620c3dddbd9256c

SHA256
fb2d5eb77102d25b54e20bed946be7129944e99080bf43c95cb8d2077c5095bb

SHA512
5ecc5321d393854e8e8f4dcad96c7af3026e94852feb987fb57659a2c290f81cddf807506c2d5c90f5a50920a36dd6d9d942e478cf1caf9f8890b1a8cc983e66

Download Submit