cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863f

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
Size

2.6MB
MD5

09e4f87cd00d62c850ad0419cbf4ed60
SHA1

7c5feb9f42f96fad83d0c177fd9cf81b04d85ab0
SHA256

cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863f
SHA512

e2b4cfbe6d8ee5fd2514d1bb913e76ff2ec198a9bd9d7d4f6630ff6c488c127f73e6510a638bf852b6cce95c4cf2629ae6b14eae85b7816e33b6fdd4b665795f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpGb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe

Executes dropped EXE 2 IoCs

pid	Process
1908	ecxopti.exe
4840	xbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE6\\xbodsys.exe"	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOO\\dobxloc.exe"	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe
1908	ecxopti.exe
1908	ecxopti.exe
4840	xbodsys.exe
4840	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1908	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	84
PID 4028 wrote to memory of 1908	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	84
PID 4028 wrote to memory of 1908	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	84
PID 4028 wrote to memory of 4840	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	85
PID 4028 wrote to memory of 4840	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	85
PID 4028 wrote to memory of 4840	4028	cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe	85

C:\Users\Admin\AppData\Local\Temp\cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe
"C:\Users\Admin\AppData\Local\Temp\cfeb205f188621651d6b30f742982dd0d886b2e8d0c08c56bf089f92b8ad863fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\AdobeE6\xbodsys.exe
  C:\AdobeE6\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeE6\xbodsys.exe

Filesize
1008KB

MD5
fc735212ff749e223eda864212726010

SHA1
e894450cae9601dee39fe34a638c1b545b68e0b4

SHA256
e99b04e958d1802f3e9d3d3853a8571b1f8651f5ab5c66abc1d3993e3eaa8878

SHA512
bde1ef5384d6d0e5f4280b5faa47267311ff40635317d532f76212ac4d08411613a9e942fbec9cbc89b7025bc464527b46ff5d4f432739b5f54372ed17ce2df1

Download Submit
C:\AdobeE6\xbodsys.exe

Filesize
2.6MB

MD5
03d1e38ba1b2d3138207f6a705569482

SHA1
5f20537173ac71ac706867af5532b94033af7326

SHA256
ca37fbcab778ccb614d213063421f1c403f436375c96707eb09d671916c233c5

SHA512
8ec597800189561fa5d17670c6c57c57860ce6e4ab737eff660b8b2a0d13481424271f246051c703506f2a232b6a8165493cbed68388d90d0d3c92f0d03e8d22

Download Submit
C:\MintOO\dobxloc.exe

Filesize
318KB

MD5
3c902fbf544dce435dbddded91af0477

SHA1
4386ece937303720c110ac7477fbb5fa7fd81bfb

SHA256
8ea1da1682dbb0825888cc76090e5f49e3fdd98f43d4b5eaabcfa859f173a26f

SHA512
c5dc9937c9e3134abb412db1af3e17bb9bc3f508efd94ac2689f417ff4076b2e5a8a2380425f8435c715e57fe1fa42baac76c674a30d94c35c20b6a2f4991515

Download Submit
C:\MintOO\dobxloc.exe

Filesize
1.0MB

MD5
7e2fe59e50decb4f1b3babc8006ef5e4

SHA1
f08119ff8e9713465dc285467d5a3df4cc2dc1ac

SHA256
0ca40ddfd86f55c277788b72700d8bc9d3032859a899688a4375c53706bfba59

SHA512
9661fff1b2627d8d4d19f48c6a48c47adef42e96de31cc020b49baaf3f17ddf05bae16442c2b016b7ce74c02dd24dcfc3b424b7aebbe775a69777edc3c284337

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
1651ffaaa630ef6649503870b451f362

SHA1
639961c64a6805828046e152204414029dc5adbc

SHA256
780aa71d1941f81c2682d405346945b64b1344962554b0ee1386f10ddc5bbe3a

SHA512
5a60bf2da11109d63c9be5a2dbc10ab8a24a7f9ed077afec9585da811338013f15524f5b2e46d38cc9279332325c55452437ec1f020184a195c50e9b9c887714

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
dded612630c958cefe682ec43dfe64a8

SHA1
cd8f8e0f96336efc469a27d35b98e9e3055e2ad5

SHA256
f2a891a4d1a79002285ec2e9ddfb922acfb142a59f8db62cf64a6172ceeba29a

SHA512
3dca5401f02e8ac5ef3a8a64e3578f5496074ca063c62cc07c0b72411e6c51fe720e2c518ff23071446db3f8412b290b6f8a0bd88afc8c02dc03a8eff5cde900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
c287ea5f8da83e027973cc1b7e643dd0

SHA1
2984fd2d9d2c14219e1f9ce3f42c9c39d5744834

SHA256
f4d2a635a7fa9a705ab6c5e2679d306af81c05721e47df23c0122bfc9784cf8d

SHA512
2404873e19181cb3cf26118ede3d564d95d9e86ed936e478a3f385a34be62235116e2eeab510f15019ce722db04bb551ad969b0978ad80e7eb69945a2f7476dd

Download Submit