11770b9dabfb82225d5731358d9abdbf9234e0d91b01cbbb4a62a58a89c0260b

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0a55ffdd69076a4dbc683cefca3380N.exe
Size

2.6MB
MD5

6b0a55ffdd69076a4dbc683cefca3380
SHA1

222163ac495e67358d4a749ea684ed2991bddbfd
SHA256

11770b9dabfb82225d5731358d9abdbf9234e0d91b01cbbb4a62a58a89c0260b
SHA512

f613a97982654232a6965da5ce8da591c8dad9f68b4c1aea7aae38091a910961f6ffff6f7f9f366b201d740081073f39a7144906e9063d36c02b6ccb11af663d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	6b0a55ffdd69076a4dbc683cefca3380N.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	ecdevopti.exe
4648	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW8\\optidevec.exe"	6b0a55ffdd69076a4dbc683cefca3380N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3T\\xdobec.exe"	6b0a55ffdd69076a4dbc683cefca3380N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b0a55ffdd69076a4dbc683cefca3380N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	6b0a55ffdd69076a4dbc683cefca3380N.exe
3088	6b0a55ffdd69076a4dbc683cefca3380N.exe
3088	6b0a55ffdd69076a4dbc683cefca3380N.exe
3088	6b0a55ffdd69076a4dbc683cefca3380N.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe
4544	ecdevopti.exe
4544	ecdevopti.exe
4648	xdobec.exe
4648	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4544	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	89
PID 3088 wrote to memory of 4544	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	89
PID 3088 wrote to memory of 4544	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	89
PID 3088 wrote to memory of 4648	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	90
PID 3088 wrote to memory of 4648	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	90
PID 3088 wrote to memory of 4648	3088	6b0a55ffdd69076a4dbc683cefca3380N.exe	90

C:\Users\Admin\AppData\Local\Temp\6b0a55ffdd69076a4dbc683cefca3380N.exe
"C:\Users\Admin\AppData\Local\Temp\6b0a55ffdd69076a4dbc683cefca3380N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\UserDot3T\xdobec.exe
  C:\UserDot3T\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintW8\optidevec.exe

Filesize
1.2MB

MD5
12d1e5caf20932e52553c2ac699ab984

SHA1
1fbd0957b4464643e541ab074dff698ba215ff17

SHA256
c3c20e2360c96e7c5a575a0cea0d813c4f61ac5ec6cc5481b268881b43025efc

SHA512
30043f823783875d921492e0c5c9c3c617afd535381ff75c2d1009c570d5e88cc946a47ac27c6577a614d9880b18d499ca8f7fbd301bcc86b4ac85dc5555bfc4

Download Submit
C:\MintW8\optidevec.exe

Filesize
2.6MB

MD5
e118aa14620fd4be46b8ad18b1c093c6

SHA1
49fb9a5342b7ea06e0ce4f6a3ced914ab24cf961

SHA256
8e031340bcae893b30e1b9ce4355b70bb293f96c82343a51b8fbe4882b673100

SHA512
9fead1439b617b4580f808fcdbe6890114923147240d51ad1d5460db1c5080747ff200c32189d8750fa837846f9eb1287caf3c3da35ae86ac56b0646dddeb5cc

Download Submit
C:\UserDot3T\xdobec.exe

Filesize
2.6MB

MD5
fe9f74ce4bfa05d07686a79c6669c63e

SHA1
7e8f6b3cbee1948797a976d511caf5e2c410fab6

SHA256
1b4e33584bbf188d3117e4c3ce7b5bc9d0859ca319ce299f8898be4b42ec3876

SHA512
74ebf1effbc059acbbf7a3e7379448610ba16d48837bde46cd195d5f6aedba9cbb7b31ec413967d46210f5a8737a05338d18bc1a86729ae0154dd9278a73ced3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9a276381dcb05403788a2b58edd14810

SHA1
8e3cd081f6a08c133e999f8222144ba20a03918e

SHA256
3de02de387797840be6ec87fc3327c16ee8110ed6c0780a0d736905aea638828

SHA512
65644016ff702b8684650f9c1f2086a6a77a1368f7237dfa70a286c4d5ec14d3fecf3ca8a7daef3aca0d3d1217c628253ae047f7efe2db13a67fdf05d16c08e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
ec5a6632094a6de69a5d5487338f10bb

SHA1
35248bba8d98b465dbfd78759d5c1d69e9f63b65

SHA256
02e8a1b9e7ba63b15e842532efb2980fafc9beacb9113bb24c0be76ca088806a

SHA512
b1060e7ef28ba989cc2cc3c0ffecea9cee4e7b48cb608d6b24bee0bb6d6962e756f8a26e6abb9a5ebc952ed23a33dc8502d904a66ee4b8f133cc3b9faff127dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
65d63695440778134454b69529fe2437

SHA1
d7ab889bf5feac2f3898bedd8bacb441e05469c6

SHA256
c424056bde0682835f820410a2ed370e71ee120755f4a1c86ae50adf5e30b0f3

SHA512
80cf07267a68ae9076f291f711a33b8b9eb858f2b96a26225d7e006c8a9a88225344a31776ac654d817769c4a3b41f58039a275b75d9d38d0a834de16a7ca175

Download Submit