be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 13:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
Size

970KB
MD5

d465108e169d89bfad4ed5787570dba0
SHA1

16b10d336b4386771a94d828f9af5757948ae750
SHA256

be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534
SHA512

02288f89dac9f575eeb4ae1ed2ee5ab4fea7b7cac59e1417a73f41a3ae020733be6927eadd1de4f9da73fa42e7f5259a3300b2d3583e72e25dfa5d4260b5f634
SSDEEP

24576:RV5fin1sAT4v8U0bue7mRl7muSHDpjKJRl1BKF81Ws:DZ6ue7gNHSjpjK3LBj

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe

Executes dropped EXE 2 IoCs

pid	Process
4916	ecxdob.exe
1136	adobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY7\\adobec.exe"	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8U\\optixloc.exe"	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe
4916	ecxdob.exe
4916	ecxdob.exe
1136	adobec.exe
1136	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4916	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	83
PID 2396 wrote to memory of 4916	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	83
PID 2396 wrote to memory of 4916	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	83
PID 2396 wrote to memory of 1136	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	85
PID 2396 wrote to memory of 1136	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	85
PID 2396 wrote to memory of 1136	2396	be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe	85

C:\Users\Admin\AppData\Local\Temp\be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe
"C:\Users\Admin\AppData\Local\Temp\be5d8e16d33512f55cc91a911bfbf6ac9c7cc1d3dcba2d745a1649b0cea70534N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\FilesY7\adobec.exe
  "C:\FilesY7\adobec.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesY7\adobec.exe

Filesize
970KB

MD5
f8c824c0643abc8b3b9731bce9e0f422

SHA1
649c09c9c7598d6ceee53eb69772c1badde6b965

SHA256
dfef6b9a3e0a156735a8a941a6a0682e928aa164ecfcecd4fe7ef3de8b48c052

SHA512
45cda6417943705c2c291e0922092dd55746167b38276d0fcf4dedbbd0d4495956cc89edbf65f84937f265fe616878cba21b0a89788bfbc20c890ace7f07d5c6

Download Submit
C:\Galax8U\optixloc.exe

Filesize
896KB

MD5
d7c0a98afca3d8a4a959f68ceb8c8427

SHA1
72c2e531a7971f00a12dc243f40df2db4f491777

SHA256
db1d846c26875bf9e0fb7a8a760ceb0f86efe8dd8f89eae68171df50734c28bb

SHA512
528a58c2aa51f5a08abb8bf71bac6705c37043bc3bdad5bde6a12d4c8891a885e52a946af9379c31911340737895eacb8f22db122d5316adf341f1cf64487fbb

Download Submit
C:\Galax8U\optixloc.exe

Filesize
751KB

MD5
3f06688e953c4f74295b908e32ad5b55

SHA1
f2cff431b07b42754044ef46d47e763daba9bfaa

SHA256
80395a145d8096c8550270d752a1b92ce76f6c2feb35629e9797d35576d8ecb0

SHA512
1252fcf7b3e4607cd02d415a9539bdbca26bf3de495657696bfde379dcd045d99d5a126d1587d38d73d2be6132afb51d034ef4a9428f547ab51849d4e9c97253

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
165B

MD5
2ecb174a2ea0df92cdd218ff286df35c

SHA1
e7df36f913eded6cf177f4cf4ca88e02f0821c78

SHA256
15f7da15b9bf67ce76a704f0325c1bbef86e7fd96d26f937e2cfae7d27474deb

SHA512
fb91052fbb1f0d27e76a394fb5c44746cf935ac8a4bfadf92be862ad27d0544eb83ea7afca19f563ca59b61ea7aee1a82afb7728cbad15a8a90b56f70125b2e6

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
197B

MD5
c3aa7eb85cf6cb129481676f0c856c41

SHA1
6827103259b28de2647e77ac39cad5d49cdc81dd

SHA256
ba608d3456b83d41c4fcc11bb8f38d7aba0c63d3ed1628f29daf55aebb4c5382

SHA512
28a6433a2333e9beb669bc30ef9efa6a83116378c7d00aed84f2530e3de025ec903ea06484e89e21eae3ffed4fa9c0bfb45a1142efe2f52d06dc0dc70b545f9a

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
227B

MD5
d4b41f4ec2f609d62c8d966e0eebdc32

SHA1
12e71fcd86463aa702664a09408e41a34ed4dee8

SHA256
6923fa8fa0b93c8a7e33247ae9c0bd5d42eaec7c157810d29717803f93150bea

SHA512
7670f6266079b84e61da9d553c99387ca703363e2b8cc7618440ba76b688d44cd15c06f028da838fa1a1396309f66a2f7f0bd6233474086d4873dbfa9d7dfe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
970KB

MD5
d386c4e95dbd7d3fd85474b61e052979

SHA1
eceffc9cb0028d9d97059dbf2004658205093776

SHA256
47be90ad7dc5bfc0366778dfc14a47d4ab93a24ef97ae23c18f4821f2c10b655

SHA512
555f8964ab15430c7d47be63fcd96fda3e26e3ba0b56d86ca316b62644c80e72e753b86c652851e581bd6a069688eeb55cc155182e9e66ba2df10c037da1a950

Download Submit
C:\Users\Admin\email.dan

Filesize
40KB

MD5
19b833901949de9b97902e4e0bb48729

SHA1
0f8949090860ccf8df0de6627e8e3e4e67c15ade

SHA256
bfba4d2f4dff163624142dc04447787fd79a0288d31583a1fb41535943f612ae

SHA512
74dc8062cfccb28d4c5dd29ddc9e3cf23bed85775aa5efee1047a619d56540d41ded664dfeb872126e14b7ce6ebbe2b27361ac8c0d6f9a2e2ffd6e9f3e7cf658

Download Submit
C:\Users\Admin\email.dan

Filesize
29KB

MD5
1f63fcc06aa7f3f895b2c2b94dd721bb

SHA1
33adbba0b4f4c870db619315dc97270096d2e05b

SHA256
1ec2a381026e54ec83985e9079ba9f9cdcc78f2e678907e5d5a2ce5aabf8927a

SHA512
64ac7041237a0b5d18e20fb3a8a5b54c18ed8cf0db4a95a8db51594986f98ec982b4dd1e0a120f214b38f3ad0c13d099b42e80a2219f65ad413794775ea7599e

Download Submit