a82d7e31b5d4f2272601bc40b56df1835d269949d0c3de46c0992c3ec9383c29

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec57cf71bd965a6d32364afbe56c6ad0N.exe
Size

2.6MB
MD5

ec57cf71bd965a6d32364afbe56c6ad0
SHA1

29d57539445e8c9cc206cdd879c760c8e5ce0527
SHA256

a82d7e31b5d4f2272601bc40b56df1835d269949d0c3de46c0992c3ec9383c29
SHA512

ba1504ce921f05b64b970cc10141904699fd374cef1b1819f4fb96a62e71c5f0564d1fd7bdb3ac8d96e8b6866ae6f385949f21acee2ac5ca0b585f7a7b7f3ea8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	ec57cf71bd965a6d32364afbe56c6ad0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	ecxdob.exe
2076	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2O\\devoptisys.exe"	ec57cf71bd965a6d32364afbe56c6ad0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB03\\dobxec.exe"	ec57cf71bd965a6d32364afbe56c6ad0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec57cf71bd965a6d32364afbe56c6ad0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe
2388	ecxdob.exe
2076	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2388	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	30
PID 2104 wrote to memory of 2388	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	30
PID 2104 wrote to memory of 2388	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	30
PID 2104 wrote to memory of 2388	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	30
PID 2104 wrote to memory of 2076	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	31
PID 2104 wrote to memory of 2076	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	31
PID 2104 wrote to memory of 2076	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	31
PID 2104 wrote to memory of 2076	2104	ec57cf71bd965a6d32364afbe56c6ad0N.exe	31

C:\Users\Admin\AppData\Local\Temp\ec57cf71bd965a6d32364afbe56c6ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec57cf71bd965a6d32364afbe56c6ad0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Adobe2O\devoptisys.exe
  C:\Adobe2O\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2O\devoptisys.exe

Filesize
2.6MB

MD5
57be7c288a618c9687699c9a7641ea33

SHA1
f9bfb3a98ed40e0b60509c748b6daf1bb05cb337

SHA256
75e05d27143a9637605e33501a8b04e91af737326551a517788f779ee1a10c95

SHA512
5023695016b61d1ba67110e7b125ed912c7dc823f1c2062d24c073ec299d985b6a45882f46974e98e79b26ef7feaae2a78e3f8069f3d6a8cb28064a8db6281ea

Download Submit
C:\KaVB03\dobxec.exe

Filesize
2.6MB

MD5
82e9d3e21d897710cd4f5377e7170fd3

SHA1
05fe14457d7b4055d8de98cb0b20b86b272e8b8a

SHA256
54dce8e9987f5ee4f5dcceeb4dfd8b7f72b55323389c68c0e0bf54530ae19d1a

SHA512
2fc673a88dcd995896a764a44d60b0f463059c537465871cf4176543fa038e99e6fe708090b700b6f29efa4326281a1660d04d85f9ddca8f1a29a6ebae440bdc

Download Submit
C:\KaVB03\dobxec.exe

Filesize
2.6MB

MD5
3fcee9335564b77470ced58cb9e98157

SHA1
2c224c2ecab5b9fbb1ecca44d86d06003e92879c

SHA256
314f989846909bb83e1a4906a312224383bb549c3e420a000ad2212772346395

SHA512
985d95ab46f62141d5fb595264bc07862dc7e3c68c042bde5fb95a8c2523afed33748f1d5b6f00644cd67bf322ef485110996980245eac939ae9bcde3ffd48bc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
d924221c953dd7fb4d51dabd7b1755d8

SHA1
eda0a1f5226bc41c6da31d13b2cb1473ca96be66

SHA256
25f8e5f17f2e02012c621486c718ee32c62b3f388a5d95a28cebf0067582d6e6

SHA512
9a7e86afb2862ce47b480dd16f018acf527488bf93757cb8b0f79d57ee9b0af4d36b8a34eeac0192eb78e7532d0b2aea57926e63f3e4e3491429e91f4dc30511

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
1e1714b766004a9541c939e03cd03506

SHA1
6410a92c823cc19fa677311631f86696dfbdfbc8

SHA256
16e4c033b9877e01840db77bff44479dec9630ea8f9dacf30d4c5ad3e81677ed

SHA512
8f284e91abe110fddd86916924f876f7251b6a918125e572b456ef29e83c46a9bc598b4a3059391659f810627b410663be9bcaa21738e6b02bfbc6f2f8bc0556

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
53f7e3031f2f7479b8c05a184ed54699

SHA1
7929962fdf1dbdd9de3e027f97ae7dfe56d74895

SHA256
29d341099b8b46bfa64f31f5a07980659b2727cab3140ceefd01c95f682afd14

SHA512
38dd0ec90e7bb80976a75e5cdb83fe8aa39068d118cd32374158402a4c9e6ed6acd47e1274e90c350b0db95a2e7f216ff020b870bafa999fa59daf23057fad30

Download Submit