f790d9d41ccd8b36df9f1f9f02e97bafa56b71b18cf78646faa10c0a56593a1f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 11:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97f7388bc98a68b44272c750336f8450N.exe
Size

2.6MB
MD5

97f7388bc98a68b44272c750336f8450
SHA1

d6cb95b680fdafcbb430b05b775a6b41eb47cab1
SHA256

f790d9d41ccd8b36df9f1f9f02e97bafa56b71b18cf78646faa10c0a56593a1f
SHA512

56c9afae5260cf5c7d8ef84eb1a1607578886867ecf5f96ebf6d8e96dcc18351bc0e257a252c1f69660147aa4d86671b39018687ec25e8780573f9aba9b9208c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpTb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	97f7388bc98a68b44272c750336f8450N.exe

Executes dropped EXE 2 IoCs

pid	Process
2996	ecdevdob.exe
2076	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	97f7388bc98a68b44272c750336f8450N.exe
2068	97f7388bc98a68b44272c750336f8450N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeA6\\xoptiec.exe"	97f7388bc98a68b44272c750336f8450N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJ3\\dobasys.exe"	97f7388bc98a68b44272c750336f8450N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97f7388bc98a68b44272c750336f8450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	97f7388bc98a68b44272c750336f8450N.exe
2068	97f7388bc98a68b44272c750336f8450N.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe
2996	ecdevdob.exe
2076	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2996	2068	97f7388bc98a68b44272c750336f8450N.exe	31
PID 2068 wrote to memory of 2996	2068	97f7388bc98a68b44272c750336f8450N.exe	31
PID 2068 wrote to memory of 2996	2068	97f7388bc98a68b44272c750336f8450N.exe	31
PID 2068 wrote to memory of 2996	2068	97f7388bc98a68b44272c750336f8450N.exe	31
PID 2068 wrote to memory of 2076	2068	97f7388bc98a68b44272c750336f8450N.exe	32
PID 2068 wrote to memory of 2076	2068	97f7388bc98a68b44272c750336f8450N.exe	32
PID 2068 wrote to memory of 2076	2068	97f7388bc98a68b44272c750336f8450N.exe	32
PID 2068 wrote to memory of 2076	2068	97f7388bc98a68b44272c750336f8450N.exe	32

C:\Users\Admin\AppData\Local\Temp\97f7388bc98a68b44272c750336f8450N.exe
"C:\Users\Admin\AppData\Local\Temp\97f7388bc98a68b44272c750336f8450N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\AdobeA6\xoptiec.exe
  C:\AdobeA6\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeA6\xoptiec.exe

Filesize
2.6MB

MD5
2aeced46df9275019af50d5e2af66dcb

SHA1
7c7f4cec115b638a388efec2d767f65b386dd2de

SHA256
584bec09bdcfb2062d399db89ea60dd3f9d15616a9c7cf2db72d9cd024097d50

SHA512
7c972e2aa15f563879c10674de7da1fbd01b86dd06f154f07a20d04ffeab1ddb4407185fdc3ea2d6610890152fc198931cfccf684e26853a6b3d77b63e0ee410

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
b4f13ef569bb6f854ae487f8a106e011

SHA1
1327e50fd3288d2fd351f7322bdbbb6f6b3073a1

SHA256
f68bf43b2db357b32aaf5a871ac6706542e37412e1aa9d5339335e324aa7dbf1

SHA512
1d1121007f1c690d987d10a86b966f6af2bd3981513479a0f6a4f3aecfbb50381c7acc81ef824b76d4d0d60a2d2f3d43481a32bab3cc83ed7e51248c731bcd69

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
74486f05a38b45a096637b2ca1cecf2f

SHA1
3997c76e1d75b19d2ae80770cab957c5c58e661f

SHA256
f3408400d5b7e950cc53326057b51fb3f79e764a70c52ee22a5da9f5909e1df7

SHA512
d005ee9019115375f02a743f1b1c2ee4e33d1920bcacadbcce2814c93176bdd20f5f0e7df3068df8bb44f27539f2be6fa2f7a08f5263a55af6e226d01a5ea843

Download Submit
C:\VidJ3\dobasys.exe

Filesize
2.6MB

MD5
82b1d9d2f209c1f9a91f0ffa1e0c5081

SHA1
22c011642235b2c17ca515ff10f7a648bac30731

SHA256
01c47dfdddb73a039bbf1734097491631cb7c7e02e0f5f681384e2ce6965aec1

SHA512
d816fe3dc5919057912dc46ea6c49ef5d2a352c5420bfc70985e5415cd1aa2d466ce33887e9b053cebd22250b9c65cbcde32d71b4ad624ab5de235b111812480

Download Submit
C:\VidJ3\dobasys.exe

Filesize
2.6MB

MD5
94a3b01745c6ebfbed5b9c703aad092f

SHA1
c3c53fc56bf141e301076b68c3bbfe411159760c

SHA256
d0e2fcaefdcfcc50f2c09b80e768173eb239d07cc262662e562c021f0b6adc59

SHA512
3665f4c77262a38a159333ab4f06228d0ab3c6b8086de1e6e75457b7f74b031d38306cd0552031baa9dd7de238c862f8a5e9f6c9a65e7f9debd5b6a5d8f95594

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
2a22abc6dd49ebf4a66d5348d8c434d4

SHA1
cc037c23d418c9e42f7a140789418d645dda4665

SHA256
11914b2967e201e4a734c5c21c996cad110098caa29a576e19bdbe9d17128a83

SHA512
c93d909260f15a1a11423c515b0060fd802bf136a0e609ec0ca6ad7e597029b102e9a39b27d686c62e145f16f044edd5ef450c14a7fa0d1bc60dd22efc64d4bc

Download Submit