ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32f

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Size

2.6MB
MD5

eff7b4d48313f3e470f61bdfa5194330
SHA1

325331a07cf4b21b447d2acb3850a97af5773759
SHA256

ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32f
SHA512

375548ec6177b7639bbfdb3ac022ea08345899239345f5ff0c9ed9dba127d0bbf348b83fc3bfee2fb6267d8c3e11087e0ed2b8d7f81654325c4aae4c47f4aac6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	ecadob.exe
2188	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocF3\\xdobec.exe"	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBI\\optidevec.exe"	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe
2116	ecadob.exe
2188	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2116	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	29
PID 2280 wrote to memory of 2116	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	29
PID 2280 wrote to memory of 2116	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	29
PID 2280 wrote to memory of 2116	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	29
PID 2280 wrote to memory of 2188	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	30
PID 2280 wrote to memory of 2188	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	30
PID 2280 wrote to memory of 2188	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	30
PID 2280 wrote to memory of 2188	2280	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	30

C:\Users\Admin\AppData\Local\Temp\ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
"C:\Users\Admin\AppData\Local\Temp\ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\IntelprocF3\xdobec.exe
  C:\IntelprocF3\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocF3\xdobec.exe

Filesize
236KB

MD5
b2259492d3590a0487d83f65a7b68dd9

SHA1
2475ac7cde7e7fe9677e1045b4db73fec259b3a7

SHA256
7328bb1413830c673e9eb848c185a48e383f40a8ff70698f461d14b43358a8e9

SHA512
217e07db87b62ad24569c2a7bbd60e4a8754a79a39fa2729a887a8e69f37e0f33562ec522ea357c6f539ec07e3d213cf61b4f6fc8df43bed7de9475babadb69a

Download Submit
C:\LabZBI\optidevec.exe

Filesize
2.6MB

MD5
49753457e29b4b3c343af58c19c13630

SHA1
30ec8eaf8e072272aba4b2c59bba610b0cc07dfd

SHA256
a529a0c6efabfb3398a25425671d785d389f86e035e59c41894b2f08607a371a

SHA512
99aa72855d0124026bd17fe18e92da9d15926eeb3b634a64c7406507c48393d753484bbc4704d80a2a4620d9d6b8c8078bb22132474b3262366ed97da5bbe3be

Download Submit
C:\LabZBI\optidevec.exe

Filesize
2.6MB

MD5
1081aa97e37e5d0d3868da61eb5b6bc0

SHA1
3fcd8ba0ee43b23297893f1336f8127ba6bdced1

SHA256
d27d9ad42cf777879c16eb2239f6110ee78cb7a538bcf6287a77fe3cef189a08

SHA512
946abb7b3ef420afe5767f104024ecc96a58e5b3cf484a1925aa97eaa89402c1d34b44467448e00f8fdd94747f7cc158713e9338ee8a76cfadecf355fa919143

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
ae0dbaf20ba65628c7a88694cc9b4c3e

SHA1
77c5fe20d10dec7025f2a2c981dbd53859d565fe

SHA256
2970f1f0fd858f4dc28b92e8de0a154f9f78a0834517574e5379ca8191ddb194

SHA512
4c21526d22127432d042d8fe0e0b0b05075baa1e8d8f8759bb3a71fc4231e481465b62f9ab3a3b4ede8332195e3e5c573f72c7511da3c2c2b923a5f8513b2761

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
93f9a9154239a1129fb99a4ac8463e1d

SHA1
3c4fe17141213776d21047d811b51ba77385ff1e

SHA256
15bf8b7e178cc285dcf6380978d4931b93933bfacd264ff2700f21a2f0d9f7a7

SHA512
ca72ae0418498404ff37045c814ce3bed62e51c118a6eef9fd1db3101d11a29c920bebdab56f1632bf290cfe8aa404dc2529ad12a103cf89d801ad3a155e0202

Download Submit
\IntelprocF3\xdobec.exe

Filesize
2.6MB

MD5
47a73376b745245ebe860b481caebe63

SHA1
e8c44e0ba965308314edf2fc48831dc4c7e42a9c

SHA256
11014fbed54cd8f3685c2b2dd1698c31255d88d10cf3c9be32da7e1344638249

SHA512
89e5322b590cc5f5b91da1b2d079fc2a2551142510019277e4e1b0728f77a6b7f7d9efa88fd9bbf107ef7a13b4a3d045ff2b30a3885ca6ef754a5b4cbd5b342f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
237f0e7dd065af133e519613183e35fc

SHA1
ece3202187148c31880c50c984e1a6d5809914e8

SHA256
6410d6865c89515725c1a70798ce0be5d23bf5d99c1f762eea642835311e3a98

SHA512
1f0d52df566d3522017f32796b2e1f8a7f67625d4a06ec84263d78835af0f8f20a097666be34432de1299eeb4ee993bb783e00c91a2d12f5b35d76c28baa7fa6

Download Submit