c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
Size

2.6MB
MD5

830a7fe8cd4f932df74bc525bddaad7a
SHA1

4c9d0d38fb945cec3f2bd7e09208486f74e266db
SHA256

c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e
SHA512

81a8b92141d5d71554bd43a4d17c7fe1a1ab88dbd4794221e3c69a57e0914188c7dd3826694c6b5325b6bcb0b374480e3811e170638e61c666a8e75fdea7a079
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpwbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe

Executes dropped EXE 2 IoCs

pid	Process
4256	ecxopti.exe
264	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6G\\adobloc.exe"	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6Q\\optidevec.exe"	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe
4256	ecxopti.exe
4256	ecxopti.exe
264	adobloc.exe
264	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 4256	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	82
PID 3884 wrote to memory of 4256	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	82
PID 3884 wrote to memory of 4256	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	82
PID 3884 wrote to memory of 264	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	83
PID 3884 wrote to memory of 264	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	83
PID 3884 wrote to memory of 264	3884	c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe	83

C:\Users\Admin\AppData\Local\Temp\c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe
"C:\Users\Admin\AppData\Local\Temp\c79fe3e117d93df69d631b731aabe6564ecae149a3c63e439771be3c6780b12e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Intelproc6G\adobloc.exe
  C:\Intelproc6G\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc6G\adobloc.exe

Filesize
5KB

MD5
c346de548654eab088b033eeb72e5ab8

SHA1
61d5e6da50d6f7b00217db8a4faeabab00794f6b

SHA256
1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c

SHA512
71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df

Download Submit
C:\Intelproc6G\adobloc.exe

Filesize
2.6MB

MD5
7951a941d76f89a3c02b335ee6978bc4

SHA1
227552a9de11d58a9d0620d0819a7bc652484b82

SHA256
da52f5ed0618c620e2edacfa2a7a24df345318c313898bec9d7def133ce41cfb

SHA512
9fa788d52a36bb42b8a3199002ca487994e3c68187420a75df9180e995c9d0bfc7f1e1d2bc5476fe7df6178b0bc6133b6469d5b02fae3ffd58ad7474ad9d171e

Download Submit
C:\KaVB6Q\optidevec.exe

Filesize
349KB

MD5
7743f1196a38576c2fe1c8430cbaca3c

SHA1
7882f5f934b7fc58dfa90359c7e706f96a2eeeac

SHA256
a8f879e3b11f0456a1ba102a13fce60cb39f5aaddb24c093743dffd13cfc4dd3

SHA512
62b35c0f60a0196263df2ade82c378d8c98f1fd2569fa6c5ffefec4242d9517bf1b61a6c2ac7ca007f753b734501422fecfb5eeb8e0b635a9dcfd668ca97d435

Download Submit
C:\KaVB6Q\optidevec.exe

Filesize
2.6MB

MD5
7088db095cef48f16fcbe2788d0ea622

SHA1
aed6a4a56cd3d2a27648b64546446e28088516fd

SHA256
0b3d91a0d8419bd1ca212ead6cbe2f394a3a0c7adc21c2ca76b1772121ed19f5

SHA512
b36d700ad39a037395195cfb4e907c8b86b6353ad40ccb652137c04d853164f0ac95219387923c1d8c9670be66d1b3c7da55f338cf34a77aacad77523dcfef05

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
1198a34460cfcc609014787eb23c99d5

SHA1
4f44ed0fe798d1354f399f4cb422d1b500be1a35

SHA256
67181ec187424b40a344957a7d22cd530ce4dc962c32e16b60eab6898560b545

SHA512
13e288e0f9a67dafb5d895ff05f7ed2495dde76eb0986be1c59f8cd736a17a2059f862c2c0eec027f1547d2dd1be423b157cb35fc94f245fa4eeff34e23307e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
2b792b48f10ca94c3ebb86d481ae1742

SHA1
8745e9da884d3d6a1351000ca6da9a9d5f3b1915

SHA256
257a2897884e951008ffefc52b806e985ecf2ae3de3581a0a304bc656cd441c1

SHA512
8a4646f7c9fe2f4e415d743aa1b9e77b9699efe6ce6ba47941aebb5ea4e4b372f1f3cb9eba38f84ae80724e02123d7125435a0291b6ce94e9719775f6564427b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
f08f202c9580efc9afc092f8f1a5dec4

SHA1
fe38b8c82b687e096e3c8d5c51be6a62e811869a

SHA256
781cd768a12e9563d8fc79e57e5dec30e9e13297519bf118d67fe682289357e4

SHA512
c0fae120f8e393812ec8b841664c4bc0a0ca32bd700032f109a6aaee7ecb53338a9d6485acea7add6ebfd8bdb8c534eb78b3b8a15f588b5e662dfbb7187235fa

Download Submit