0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cb

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 21:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
Size

2.6MB
MD5

159fcd5ec203462fb669e5c6f74ba360
SHA1

20862b6201311493664e2f54c00e4fba33110f8e
SHA256

0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cb
SHA512

af394757fd9559e691804f361283a0f535c44ed4a885fb627d4a1edce5757fc2c28b0f054bc8a809f672c318165000e08f441936ae9b12e27de0bd421e8867eb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	ecxopti.exe
2696	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVV\\devbodsys.exe"	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5O\\dobaec.exe"	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe
2688	ecxopti.exe
2696	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2688	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	30
PID 2488 wrote to memory of 2688	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	30
PID 2488 wrote to memory of 2688	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	30
PID 2488 wrote to memory of 2688	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	30
PID 2488 wrote to memory of 2696	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	31
PID 2488 wrote to memory of 2696	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	31
PID 2488 wrote to memory of 2696	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	31
PID 2488 wrote to memory of 2696	2488	0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe	31

C:\Users\Admin\AppData\Local\Temp\0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe
"C:\Users\Admin\AppData\Local\Temp\0b2033beda0534de6b27e81fbe7e98570cffa92646488d516eabe859d12df5cbN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\IntelprocVV\devbodsys.exe
  C:\IntelprocVV\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVV\devbodsys.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\IntelprocVV\devbodsys.exe

Filesize
2.6MB

MD5
6a5777dd0c787c5e7e11830776693236

SHA1
e8724e0a127d3846d8c250fe1a45051e73105eaa

SHA256
da6fb4717e9049c03d7a611ddb3126535651434a898ee05d05728cb0062b752d

SHA512
273c764e2915f7fc8b9ec6cdc3da3151ddbf298fde7ba9301cce9c4a1d005d3895da7b147ce84d79a6c44564e0a1b14c9786d6be1bd759a18632014199a44db1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
660e68eadc8f79865030763484352986

SHA1
9257ab9fa536725e0a6f577e97d61beb93108942

SHA256
a2f84d4e8b3bceba250bbb31028c1cb0cc4fbd77afb0b70c4fabd2c9bc7b7a2d

SHA512
dd6e8505cdcdffd2787501dc4b73018771d71d116bdb54e699043b4c2e7176961025085be8891dae26fc48875c72cefd2e8106ca5aae700cbfcf9569b0f5a0e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
92aa3ac237f4a57ecf92c61253929cb8

SHA1
e1214f9fd3de302e5c7bbed5faf81defdcd9118c

SHA256
1d9b77c33ee6fcc271769051a4a419ac8bd7d61ed06f071698f9f3d7df7a64bd

SHA512
a6c7b986507ae1661b302c4aa2aa8e892263af1eb06064800d530af8bc089ea04ea445d5c17fbd1cef49be5f7d142a7ace003bd6da4afb4995b7d24e7a388434

Download Submit
C:\Vid5O\dobaec.exe

Filesize
2.6MB

MD5
f15c602441214af52b459192f07ebea9

SHA1
645c9a279f6a565c12ce2b48c53a684329668f8e

SHA256
9694ec81ebc319859a31845309fa943fbe1800f96a2c5606a736c7c06def028c

SHA512
e2d01c288e0267a1cd87fb293c98324d2eced8af078b9e1ff84a0518d461c123c1948ac88bd9fbda5b5bdded74829ae765a260d820ab608fa3ca6704b5885c38

Download Submit
C:\Vid5O\dobaec.exe

Filesize
14KB

MD5
5ffab038d17d47771c031d3b701e0cc5

SHA1
74d331d26e5210e7e523c750b0080e1641bb61f5

SHA256
1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

SHA512
fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
661de952114a00369da8ae50f3ccfb48

SHA1
db656ffdedf3319e0614ce0a10b5b4948175573e

SHA256
992a40b86e491a634b58f75b142dc8a4123fd28aa587f68e37e54a1871988e54

SHA512
3666e1c0fc1e9471d133aa42fcd5c8ecde819f47d8bbe81988a6b7ade48b815dc33457971fda21c50b97ffa426f21bcdc3912c90bae078e7871ad6d326ff131e

Download Submit