a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
Size

2.6MB
MD5

f1f98c824a75c11e6788282a26198834
SHA1

807546d857ffb7e922a2d367bfb2224cb9d7de69
SHA256

a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c
SHA512

a2fcd8e0b7faf3b7718efa51d7f2fb40d8a0c8a67796d1df315b1b257b8d684f54ed4c48225005bc78555169b367f96eaef1f2191369e5f3ac3c154a41070011
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSS:sxX7QnxrloE5dpUpGb9

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	ecxdob.exe
2672	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeT0\\xoptisys.exe"	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWG\\dobdevec.exe"	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe
2752	ecxdob.exe
2672	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2752	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	30
PID 3068 wrote to memory of 2752	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	30
PID 3068 wrote to memory of 2752	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	30
PID 3068 wrote to memory of 2752	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	30
PID 3068 wrote to memory of 2672	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	31
PID 3068 wrote to memory of 2672	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	31
PID 3068 wrote to memory of 2672	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	31
PID 3068 wrote to memory of 2672	3068	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	31

C:\Users\Admin\AppData\Local\Temp\a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
"C:\Users\Admin\AppData\Local\Temp\a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\AdobeT0\xoptisys.exe
  C:\AdobeT0\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeT0\xoptisys.exe

Filesize
2.6MB

MD5
fab6ae7fcdba359a8c57304eb52662e7

SHA1
e943b57039b5b777e259b1335984b971202e5da8

SHA256
6aa15af9a08227e292e3079c6b40a3307df77f4f83070b6301e2b152e2a0c60c

SHA512
5b93d5232fb72980ec52d0399c9d845dec3ad563b45a4aded5dd9500d0243204b522df1d46dba7ee79b04ee1736f2b9631e4c38e9071eb26058d2a101f662361

Download Submit
C:\MintWG\dobdevec.exe

Filesize
1.8MB

MD5
f564b08a420dec0190b9348ee7a8c6f5

SHA1
65dfd198d944211527e6c59eaaf098cc5ed2f46f

SHA256
973cefe4fe90a8789e074604a4eacadfe39cc996bd9fbeb29ed12ecedf0603f7

SHA512
b3c66a48be5d56b36c39674e76ebd6911386da3762ccb56ac0febce5d221483a23e0a09fd088ccc7e68f79eb2b5078d0d5a40783e8f004fa89f2579e61f08c6a

Download Submit
C:\MintWG\dobdevec.exe

Filesize
2.6MB

MD5
857f675da2a4fcb39b6685f34701a0a6

SHA1
8883ce7d102309bd65d3e491d98f2d9270a56222

SHA256
7540ab1ae07a58a7b79ca20dc6eace3448c90e7fb616787d63c7cc79f14f8dea

SHA512
9b83fc65d58c213414900dbfc344444c0f9a51934cd5e6738b53811c708f4589d086c986c18a8cbe5ec98691a2cb32e1b25c4171aa3f03ff3571a148d1634cde

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
010d445f1cdf72e362ae65322a506776

SHA1
e6b75d92a57159ed51b8df460c16ee8830534298

SHA256
36baf5beb530674a0eb5e06ac167792496c43423ded53ea09cd9ab2bba19b4f7

SHA512
ae0206c87837e7a00eece7cedca2838e5c2ac004e5fff15d0885c83477aad228301729c30fc92926adde324c652137e2664f262ff4eefbfba40045d62d3dd96e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
08f1f0ab4fa9ddd1853d0db3bd805267

SHA1
a1724e4f3b3e9faab9c5082f59ea8a48d4d12428

SHA256
840f98599100f025c8e0127937992f391ad1656130de4ea3fd126f5f4c6e86ab

SHA512
e0f6f94436f5b98aa748f4c180cfd4cfd52d55ed59a479d44cd5ac7b22c9e9fa0b70fb1df8e86caac0175eb6091b2d68e5fe461419276d3ed75049192896634b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
448dd7713e71134c49a66ff24d5d82d6

SHA1
3bbf22d4b1dfe030862749ea4321fa59f32cd510

SHA256
4f1cdaa4f9628f1b5b9441c9a646f8eea4cc2888d8bba06bd4e4aeb30108b33c

SHA512
dddd9e2bb64ca282ea20a4cf4dc2eb051e8356ab6d80ae7f5c0e4c4d87ede05ef9870a823ef9679bb0b0247af71671edcf6accd1080730119d71841908722428

Download Submit