509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
Size

2.6MB
MD5

f3a2e8e374a5a2276de6016c36f4e63c
SHA1

563bf33750e57976f8c7ea31504424bcf5af194d
SHA256

509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3
SHA512

4cf2f4b94729a40728bc1371a7309fd2d4225b88e7bc62bc50bbfe0e6e2106a891567cd313b159f8bcb225e85e1336f3c0c9b158325e35095411e1fe67db215d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSy:sxX7QnxrloE5dpUpObd

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	ecxdob.exe
264	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGO\\abodec.exe"	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKU\\optixec.exe"	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe
2308	ecxdob.exe
264	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2308	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	30
PID 2224 wrote to memory of 2308	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	30
PID 2224 wrote to memory of 2308	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	30
PID 2224 wrote to memory of 2308	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	30
PID 2224 wrote to memory of 264	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	31
PID 2224 wrote to memory of 264	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	31
PID 2224 wrote to memory of 264	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	31
PID 2224 wrote to memory of 264	2224	509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe	31

C:\Users\Admin\AppData\Local\Temp\509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe
"C:\Users\Admin\AppData\Local\Temp\509ad0ccd73dc2a5e7848bc62d65fba7c191e79f18de847e716a57c630dda1e3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\UserDotGO\abodec.exe
  C:\UserDotGO\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKU\optixec.exe

Filesize
2.6MB

MD5
8d3ce54d91e72e8d39c796f37a37a64d

SHA1
7d928aad9a829178129ffcde7e664f5d365b18b1

SHA256
0e70505a803ea46bbdd423fa8580b3df6ee4b70f70291da36070c38f0855a6c6

SHA512
4938c3846a4dca2d72f45c1117fae19e0bf0e701837a66ada2adc0f0e2f0d4a3a2296452d066ec57908ecf24f6d7f791cbb871dedb6dbe7345f5b40eb3391291

Download Submit
C:\GalaxKU\optixec.exe

Filesize
2.6MB

MD5
9a584b500d480e32a9dbc88a4e50aba8

SHA1
ff489af08a221cedace3496462101f1a87412ae9

SHA256
3e6880a28bb4e3934dccfe76ba372cd2c7894ce2c8573ffc157033d7778d8530

SHA512
b1110d8539de41ffdfdb1fdbb2017189c837b116863d2604b977135e6a895d085cdde819370628cc2c4921b0b00eda13b8737a2d31ce82e5771dbc4e314f017a

Download Submit
C:\UserDotGO\abodec.exe

Filesize
2.6MB

MD5
7fa83c1c0b6547ba07bd3447d83c3d15

SHA1
e810c3ac2937df65f89e4aae32ab7d8f68d1db6e

SHA256
ccb65461ac84234cb260a50bb40982f87f9e8e99bddfff78353b3bc2665808ff

SHA512
7c0e6a3a202c565842b6414413590b08e758caecb7cfc92939cee5dae8b106ce6227efe096b85bf9f8ccc5c8586e40ce523fc941edd2e2d6c57e648eabeae524

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
a5a2e1148b3776d75073302f0dd971f4

SHA1
1a079d0b2e017e945a3b988de839463dc4e6d369

SHA256
45b4bf6ff52e3fa2c973bbd30a1926eaba7bd00f9cc033c5f0959a2c076966b9

SHA512
fc59f76eb3fa6ef808bccf844c968a64230a4615874fb2efad6b039f1f71bed37b9f471a646d2032e6de0d0c427981a051505b2c4698c3050d39e0a88b50ac6f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
99f9de72b5ab5f81d8ab5dd560db4b6f

SHA1
69d6744c3d34db17a559b4cb6bb0b62230cf7c21

SHA256
584e566da03c5a93b6ab32db0761105fdf3e6de164101d7bf8c705766db93014

SHA512
7cb84d29f1ead35cc1dc145e9a6e267fc285e7840ef39d4253dd0790380518aa7d83f3416685fc99ef7c1b9eca07821665983e3f050529a446ea059373e19df4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
8dd71b0d39fa232f0ab743e28bd0e12e

SHA1
877b112ef65724fdc48532bc26d343261acf6188

SHA256
736eda110db09fb40eb97001ad4e1396e7f957493b1ebe9554eb25019c28be11

SHA512
68b75a39dfae32e0bcc8bbfdaa062b985f0479d76aa069e590efebeffc00697bb99a9582e30baf9c6512e4751c2e4d0b7894039823257b29564c6d52a326d58a

Download Submit