ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
Size

2.6MB
MD5

f23c1316612a0bc48ed27320c2df6abb
SHA1

cf8fa069238b0d08edfab4d71266d1598f166010
SHA256

ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46
SHA512

be59935fc18b2918f8a14df111c508da81c7f56ecb017c238c7e5e8197d918adc5fb13423e27befd4c39ea713c092cbe4589f049e3f6740af7d652d920eaea2e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUp0b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

Executes dropped EXE 2 IoCs

pid	Process
4040	ecxopti.exe
5072	devdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5H\\optidevloc.exe"	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ2\\devdobsys.exe"	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe
4040	ecxopti.exe
4040	ecxopti.exe
5072	devdobsys.exe
5072	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4040	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	87
PID 2032 wrote to memory of 4040	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	87
PID 2032 wrote to memory of 4040	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	87
PID 2032 wrote to memory of 5072	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	90
PID 2032 wrote to memory of 5072	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	90
PID 2032 wrote to memory of 5072	2032	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	90

C:\Users\Admin\AppData\Local\Temp\ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
"C:\Users\Admin\AppData\Local\Temp\ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\IntelprocZ2\devdobsys.exe
  C:\IntelprocZ2\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZ2\devdobsys.exe

Filesize
2.6MB

MD5
e4daa7033e5ddc9d45aa02304484c4c6

SHA1
e86819442ead9988b99a83bd4c3ac67ffb0053ee

SHA256
28adbcb2a37a368c234e0c805591c30b0dddac62ce1aee08f0b4910a75a4069b

SHA512
dc996753148a5e10befa76ed77eae6a4ac2b52526b17ea3ba12fce3c128a32be86c1ee9867484d34d2726e164eb12df22767320c3fbd19397fe4b5d4667799b3

Download Submit
C:\LabZ5H\optidevloc.exe

Filesize
2.6MB

MD5
a1e64a8ee77c195ffb05dce6c6d9cb47

SHA1
14cc2cda90aceddfae7c7ff1781ad20e76cc8ccc

SHA256
1612d8d7b4b6071633ff392cded05ed24cbc6ae01783636d05e624dd40f0a408

SHA512
31cfec63c52dd1e0f3038782ea5b558a2d4a51fc765004d2c8c72ae90362a9f95449950b2f3661e7cadb935825db2b33800f8a1d049d78cf078813f7c9e091a2

Download Submit
C:\LabZ5H\optidevloc.exe

Filesize
2.6MB

MD5
d3b07fd2b6bbfaa85cfbd29f862489ea

SHA1
ada3e2009591adf8779612d68ff19146b0964868

SHA256
13cf8f7d69a129df6498faf0c6ace898d44718d9f2cedb97bc8433ffae3bde77

SHA512
07bdc4248c025a0252724725c8d580751b9f78fa6bd68ef8e83b77ad29471220a388504a9776eb4e1ca539b900010110e902985241441ac8e1da683e7eab3805

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
23a4a330264cb43fcf4bf4569497a7f2

SHA1
495f4b16ad9706fcb8a34fa6de7f45f9a54e5447

SHA256
afb8670697b56d0b0cfe4329381ab0d666241b65de024ccf6b91848b7fcc9f78

SHA512
8c5a1a2ba7de5ce7641e55ec12ad767968b37ddef3e97767924de6c6bcdbdf93c5180adff00ace44ba00955009aef06b5d0d91e66b28852c7083fe89e254e52d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
46da87d52e6c9f97aadc9f9e3cd14944

SHA1
4326dd4661771b66255bbfa027a6d40d51212520

SHA256
e5d3090b22271454ec9815a33517b2b0a78e73bcc4ea22ed675f5062a8bfe6ee

SHA512
4694f4417b2310d56099488320901052539ebf8bbf5d2f9c9664125b10cf2cc4c7e663ca7149c9254ed54ee9d1ea6d0902b16a131f7c87f3a67cb5d135efa722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
c68683da19a45957cd06fa820b6d90bc

SHA1
dd702ab53b67fed2bf2ffa13cf687c690431ebe2

SHA256
6d4a3f9b973ad82a4048d7d0a94201e43a33c90402f8b6d95c9208fd0ea6102c

SHA512
2abb5ba88bf30b5bea07c2498817157e8df245a6e1e73d1c4a2704176de814f5557e5d258ea6330c20a45b1340a32639be8fdcf62b9a07ac950536f6fb492e2f

Download Submit