79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Size

2.6MB
MD5

d4dd384ae38fed77098536c5b075c320
SHA1

ed8690d654532965db51c6145dab0c7454284a7b
SHA256

687a990253af6ef1eb5a4d36b657237874f0dbafa795e2d74b7ca6ea5bd56ac9
SHA512

353e67dfac140206f4d97f38d66fe6dab74dfca0734cf63117dc02beb81f0906860907ac6113b5fe6c7f20d77a9d4a0977f3f4d71d09f69efe531492513a91d4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpgbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	virussign.com_d4dd384ae38fed77098536c5b075c320.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	ecabod.exe
2444	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe
1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe05\\xoptisys.exe"	virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3L\\dobaec.exe"	virussign.com_d4dd384ae38fed77098536c5b075c320.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_d4dd384ae38fed77098536c5b075c320.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe
1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe
2536	ecabod.exe
2444	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2536	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	31
PID 1932 wrote to memory of 2536	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	31
PID 1932 wrote to memory of 2536	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	31
PID 1932 wrote to memory of 2536	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	31
PID 1932 wrote to memory of 2444	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	32
PID 1932 wrote to memory of 2444	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	32
PID 1932 wrote to memory of 2444	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	32
PID 1932 wrote to memory of 2444	1932	virussign.com_d4dd384ae38fed77098536c5b075c320.exe	32

C:\Users\Admin\AppData\Local\Temp\virussign.com_d4dd384ae38fed77098536c5b075c320.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_d4dd384ae38fed77098536c5b075c320.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Adobe05\xoptisys.exe
  C:\Adobe05\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe05\xoptisys.exe

Filesize
2.6MB

MD5
49a09bfb76b60b5de335468b141b1e89

SHA1
401031d6ebfb72438466965add7ee378626519a9

SHA256
f52a7f0ad702177c9cc47996cc5b6f94171c9b40784b87f12bb64cc43d8870f2

SHA512
00d9513232a9f553824d975eae39c53751ef0a4ccfa7d1820cc4b3a5716fcc55a0c836b9d9f10f26eb47992f0f5ee76c506a27153d0e6bab1be8fe1143d820c9

Download Submit
C:\Galax3L\dobaec.exe

Filesize
2.6MB

MD5
df57d8f435547aaec330ad79bd1b7ed2

SHA1
6713ffaab7ebc0d6566924d989cfa3f453177926

SHA256
3a3c26dec5addf4bb4fd26093f730949698437b12c2dbb62b27ec0d39f9ba474

SHA512
6b936abfe74642f3598ce9864d6e3f89d289d5169087dd71e7d1cfdb568617ba980630e689af7d83aa54503b3dbb0f078ec7e8dba1193456af9cc9e87892cb4c

Download Submit
C:\Galax3L\dobaec.exe

Filesize
2.6MB

MD5
7408131c86993e95497bb8dc6dbc02a3

SHA1
201343ed33305af91a9cf380eb72deeecc439a25

SHA256
b18e06a4880c818105fee78089c44ed0726a684519e44485ee1055b8a906bf23

SHA512
a711bc404bbea453d111f582954a2109cc1fd191b04288a15caa8ada1d4ecb7ec1e40b4bd9f384ec3b4c47c0d4f57fef21267e150a9491e234a7ce6c7eae5eed

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
d0d2fe757aea2863ba30f88625395a1c

SHA1
fbf9d76bb8e2973425ad84ad6aec2053cbe7b7c2

SHA256
6dea248c9647ba4d0ddc9322782a285d5350f5364c21a800e2ea7332c5beba91

SHA512
04411870133b130630f3fbe31cfa040b5ca7de6570d4cfd80c8116e2a8d69f0af35bd83ba079422a51e917cd41d36789eeb056b7a91d003d50021eeb3e5c3c51

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ff52d1bac127c5a4fbc15344b313eb90

SHA1
26bc8232c27473fb6bdfe3820911bd330422e63f

SHA256
cbfe5133f9d7c0558e4e0b76799743ef8de8d0bbbc4e66b00307e055211bc459

SHA512
d88fb45e5870feeb0e0109f0827dc965653351e52a0a941a2b625980218faebedea368e82979d856831edce0bd477358b92fff3ec4ab56fe2ce2b9682185f77f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
63e76b75a2da2c374c5aed55d734cbd3

SHA1
2b057874cf51873fcbd05b2fa8adde60a8c8f6a1

SHA256
0fb739782475c17815af501cddd0515769cb45ad95344b7b2d845fe98cf3d497

SHA512
f03ed0864cebffc6d08b4673f5111f201a71aa457cdf8ae4a132d6c51e582a88afb9fc2db26fd0ad9bc8425a6a92857e769aceccb59f33b4c1b2e8e83cd8c705

Download Submit