7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Size

2.6MB
MD5

62345c79bb8aa0ae1fd3e4b3dae384ac
SHA1

2ce73c545e31712ebac38ddbabff1195bc7606c5
SHA256

7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed
SHA512

419007858c285c9af63a95ef6bad14506f58d16705343d73c795181cf7721b04cf613bc5a9cd2e9dbda4134021f54dcbabae3ff931727ca1f9c749724ade30e4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqV:sxX7QnxrloE5dpUpdbVV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe

Executes dropped EXE 2 IoCs

pid	Process
4228	ecdevopti.exe
1060	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot99\\xdobsys.exe"	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH7\\optialoc.exe"	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe
4228	ecdevopti.exe
4228	ecdevopti.exe
1060	xdobsys.exe
1060	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4228	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	86
PID 2672 wrote to memory of 4228	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	86
PID 2672 wrote to memory of 4228	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	86
PID 2672 wrote to memory of 1060	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	87
PID 2672 wrote to memory of 1060	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	87
PID 2672 wrote to memory of 1060	2672	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	87

C:\Users\Admin\AppData\Local\Temp\7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
"C:\Users\Admin\AppData\Local\Temp\7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\UserDot99\xdobsys.exe
  C:\UserDot99\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZH7\optialoc.exe

Filesize
2.6MB

MD5
eea4ed1d86ca465fc963cb74fd16d75f

SHA1
287c4429556d395ec3d23ef3f479385c1b1a72fd

SHA256
17c828963c998451185da5f97299d86a6384797adde5ccf849b9a6564d06cda9

SHA512
7cb609e93e67fe4d5e987673c37716850b6d500ffa0a6cf3f635029c7fa38f6c1e9d30ef218bdceb2e939fb3ef3799a9a2ecd5adddba6cf7624b53890413cba7

Download Submit
C:\LabZH7\optialoc.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\UserDot99\xdobsys.exe

Filesize
2.6MB

MD5
af203ebc2757622ac24bf103022da30a

SHA1
02a44554514238667ecbe7e970afce725011374e

SHA256
fb2eb656c25b62989d924c9de1722e729bff62b22ba3d0f8e9e23b0eb72b3da8

SHA512
4b7f26b1428498568bcdd9d57c51ec0a2c45a2aa9a811b84826133e9fb0b2dfb8c4ee696f786de18de333e8c582e8847cc299bdade7f62ce41c4c645657309ee

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
1ad423a2f9387fec89705ff1472ff9f6

SHA1
9bac48089996cacc2aba2bd9ac07d558b78ab467

SHA256
0378106117ef027c39b4e63465763db2bf82e739d24c92895d648448f00fd8df

SHA512
2eba1ac50ec8fcdfbeeb5b2a2081faf21c67e03b65e929d47f01a0ef68476e67fa4f2fa34495cd54b090410380033bbd3cce7e3b0b1de30be3f126a2713ea794

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
84a5b0934efbf6bec6e0d6356fde75f7

SHA1
d821d58ccb2386e6ad29d8914a6d0e607226c867

SHA256
ca61d438ec16b9cf77c839aa3fc81da57a2fccb71db62a52558e1eaebf50efd0

SHA512
7da1ef7239fb22faf5d8c9f018856cabc6ced57e218c86d88d23328547f104f4445c0a43c662d530022a4eb1daf43001694af83f24716ca633b3db1292268cb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
17071061c3d24115d48b58f3c2f0d269

SHA1
4044148b1d80ec865b2b64d4dee2fb7d398699cc

SHA256
321f0a1a20e5aa3924d6bf4264ca3cb28725414273a7f34267f5c5854742b65a

SHA512
016d7211469dadefd32bfa05540bbf258ef36be93e81852e405559c1923bf1d0194671a366ffb287b62b348d4494ddc33b8ee6bb75234420819a924601684ffe

Download Submit