0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
Size

2.6MB
MD5

9267f952a13dabe9573df2e86e259ae0
SHA1

4c840b73b84a96f569969d55892e05d97b868884
SHA256

0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531
SHA512

8bb9393e1885c86ac39556188c7be4bac26d9395124556d83cb37b1d0a9b1d216c2dd9c593ac5f4de7ea18d52615b894319fe1a0ba611337152c06929b10da2c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	ecadob.exe
2188	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXO\\optixloc.exe"	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\xbodsys.exe"	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe
2072	ecadob.exe
2188	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2072	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	30
PID 2236 wrote to memory of 2072	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	30
PID 2236 wrote to memory of 2072	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	30
PID 2236 wrote to memory of 2072	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	30
PID 2236 wrote to memory of 2188	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	31
PID 2236 wrote to memory of 2188	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	31
PID 2236 wrote to memory of 2188	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	31
PID 2236 wrote to memory of 2188	2236	0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe	31

C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe
"C:\Users\Admin\AppData\Local\Temp\0ea67812c8d7c2fced136a23b4cacc8b41c7949575b679829e1a998dc2b7a531N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\FilesOI\xbodsys.exe
  C:\FilesOI\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOI\xbodsys.exe

Filesize
2.6MB

MD5
15d3e2b8479a4b2204c93eaca7693b1c

SHA1
fe4bdfecd553ef5859511c53025c23565f06e2b2

SHA256
23bbbf55043b88e62e67b33529a98d02d2c37720afd0016620a6a019f530c617

SHA512
2652ea62d8e05f497fd7e7118d7e14e70347077ffcfb06b1f635780a8ed6528f061c9d076425f195f4954f659f869ad19effee2a3434ca9ddf8191ac03c798bd

Download Submit
C:\LabZXO\optixloc.exe

Filesize
2.6MB

MD5
addda24bb94def4c150db402d782fc1f

SHA1
e2c9c84bd4e135fa41d40da71df3ff71b3d0dc29

SHA256
0c846cc6afe4a31190838308f0ccf5d1cca28b296e666352b7b3845ea5eaa2e7

SHA512
1bef4c5dfe6781d2c4e4bbe676029f59cb9f92945682c2c7ebe7fe9711d8777e0637578b45145b7714d7b4017fc48dd1c7bb4cc15b40a0f51dde071c4391e4f5

Download Submit
C:\LabZXO\optixloc.exe

Filesize
924KB

MD5
fcf1247a72bca6815285bdeec251fbd5

SHA1
79c2cde9260dc84599e00e5749c1f8a2bc989328

SHA256
690793e52ef0ad91c6f823934c769e65a968040c3636c8bf3607f8c7050f611b

SHA512
61b6b353e76c76d61f78dd2c2f6f2334f1ae700842a27b406ae962c6cbb3f45cdff9e8fb56a46e08774bf13cdf0234d32bd5321c939fc0cacfe1931202c5982f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
7de7daa834d985338fd5363e3909a780

SHA1
2ae121abd7b09b761b269821ef8a2c8670ff2d36

SHA256
0493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246

SHA512
f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
4264b2019848f93783ef5182b9e658fe

SHA1
26cdd31c24a2d0274870434ff39a8de2ed2f531a

SHA256
4938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288

SHA512
1d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
16101c2e43ebb7cd150fd4daf4b6b1ed

SHA1
7f24a846ef619428d1b175bc3eb3f030d874a108

SHA256
c51134ec7166f44cdbbe8b82500dc6282c20d18353f1f9c55c23773c2d76b6fb

SHA512
7774e6679fe59f0874c8342c1fbdfa68e24f75cbf1152ed5d981a4b400a77df6482fcde2aca582c7063b78d7e981fcfb49bfbde188e5f33d4bac8b278602d19e

Download Submit