1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Size

2.6MB
MD5

e85314befe69377f737ca5192f3b16d3
SHA1

f7dc6a51bb6c995449a5f31710cb76cd4ad72ba5
SHA256

1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472
SHA512

18b523766a99cb932ad2cf5b54ef19bcde64e864e83e04bae2d55ae4fdc65046049c1592d532c1f9824e6299081d86e982e0c293a12671e36ae4de6026c146e9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

Executes dropped EXE 2 IoCs

pid	Process
1116	ecxopti.exe
4412	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIP\\optialoc.exe"	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDE\\devdobsys.exe"	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe
1116	ecxopti.exe
1116	ecxopti.exe
4412	devdobsys.exe
4412	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1116	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	82
PID 3660 wrote to memory of 1116	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	82
PID 3660 wrote to memory of 1116	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	82
PID 3660 wrote to memory of 4412	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	83
PID 3660 wrote to memory of 4412	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	83
PID 3660 wrote to memory of 4412	3660	1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe	83

C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe
"C:\Users\Admin\AppData\Local\Temp\1df4b562406c3dc156ba80a3ffa8c03eca539d4e737a63dcbc1eeb79a1e18472.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\FilesDE\devdobsys.exe
  C:\FilesDE\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDE\devdobsys.exe

Filesize
414KB

MD5
db09779ceb9bb7a75bc04bce0a4d650e

SHA1
798a1b4edb6438aeafe7f9c6e0c8c1fc9aca10b7

SHA256
1d53c5bc4576e5b4cc8fa981c5c5de1dfdc6b871a558ff1973e742c31f71de0d

SHA512
8e6afdb91498216f60b833e902e04a5ba581daa9a898c6c474c84ade4e13f47448d7b2a1408e228cab509005784dc03ac8177e92733e0b76f2eb1b50d41c7744

Download Submit
C:\FilesDE\devdobsys.exe

Filesize
2.6MB

MD5
adc7d5bb4b57c9c8a59d485c80ab842b

SHA1
43e28cfd04c447a5be4cf4113e93588b4fe81628

SHA256
36bd8c3600ffe8e3c3669a8951bf542da84bf93726d4196eb03733b7aa5224b0

SHA512
3a94e9cb98cf9ca637a5a0f659653fe1c9ebef33239130c67545bad0024195b54e7df16f4b0491a38f9b313df7709740901182a55e17cd3036502472c499bc9b

Download Submit
C:\GalaxIP\optialoc.exe

Filesize
15KB

MD5
baebd565738a73b1785d23f85b9b1880

SHA1
3e776227196d9cbee3a9edf120876f20e6af105e

SHA256
d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

SHA512
3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

Download Submit
C:\GalaxIP\optialoc.exe

Filesize
422KB

MD5
21beee87218fbb858f6b4dfac3b5fcac

SHA1
72d7f5b315ff8e4767b6aea4e9474d6a6ba1936c

SHA256
7cde72649bcbddf15b5b05c858b90d36986edb7b79fe892f7cae3687c97856c1

SHA512
02e61f86006479e19c4f2475acf351d13fe3859c5e1c1f5c88d1f6f900ff4f18f7ef6809a40ffbdd5f02c6844e3383d48127030949c1fe426df726d4c61a3e43

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
c10db56612b7947301a314694e8bc9d4

SHA1
483ae0e18eb2f5fc3e76059df1913c8283e45d17

SHA256
a2a95ca182d3ee4464f7517f2e2b7714f2453814cb02b228509d169e0e00c8ec

SHA512
66cf877518a726dbf01b42edf801c06059faa627b05ef60b9d7eb4d5656a8a19dea3c89f4133f8ec625711594fe58633cc2be75fd4d3e09fd93768b82c973ed0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
34bccc88ca15d7af22725ec12968732c

SHA1
8aa2ac4a87ba077419dee019ce4b021cb84d39f9

SHA256
9358e0c1a8145e8eb881ac77e34d5985272911cff237d46f9ca895a1421504b0

SHA512
6ea2d094fba43f50fe9f09ae17a42d92cbcecd0be436443916141ec3e492e2e2c8032d11e96daeb28409ae2da666ceff4651da80920702f12a3bf9ad6b338f15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
9ed9cbc9274689e3477faf6efa1ec750

SHA1
2c9a7848b74db51e4c44069a2d512dca5ee735f2

SHA256
86cad0ab8e1e9e1c4a2b2f4f1bc962649985c0e299589634059904babbddac94

SHA512
2ed3e93345013b86a204ff370ac035bef039851cebd33d9ab8317ae8ab4e39fae6627f168ad3c47c6e59bc815e3b7dc8648675ac2bd3888c068621984da22816

Download Submit