d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Size

4.0MB
MD5

3e79f0a808cddbac65d78fd138dc9887
SHA1

4127b5318fdf0f807e1b04bc6d47709f2bfe488c
SHA256

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8
SHA512

c43feae9420d716b5fa291e92b0afd400d74a69e176c933b99301da3db0e525e8776b79d3181f4fe36e4a59b6a16847d476af4af1ca83967497c49daf18f47a6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

Executes dropped EXE 2 IoCs

Processes:

ecxopti.exeadobloc.exe

pid	Process
2688	ecxopti.exe
1740	adobloc.exe

Loads dropped DLL 2 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

pid	Process
2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWG\\adobloc.exe"	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8K\\optixloc.exe"	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exeecxopti.exeadobloc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exeecxopti.exeadobloc.exe

pid	Process
2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe
2688	ecxopti.exe
1740	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe

description	pid	Process	procid_target
PID 2744 wrote to memory of 2688	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	31
PID 2744 wrote to memory of 2688	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	31
PID 2744 wrote to memory of 2688	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	31
PID 2744 wrote to memory of 2688	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	31
PID 2744 wrote to memory of 1740	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	32
PID 2744 wrote to memory of 1740	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	32
PID 2744 wrote to memory of 1740	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	32
PID 2744 wrote to memory of 1740	2744	d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe	32

C:\Users\Admin\AppData\Local\Temp\d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe
"C:\Users\Admin\AppData\Local\Temp\d64df7bf381de5f3054ae07be7a10458509e99ba01f542606e8e377a8b8beae8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\FilesWG\adobloc.exe
  C:\FilesWG\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWG\adobloc.exe

Filesize
4.0MB

MD5
ebe4a0c9e9ecba06d21a43a87112b1b0

SHA1
99fe389290859175e1fc2d585c5b6db3e8b09039

SHA256
752a05ae6242d6a84ed2e5f05581b2e69df20295640d2d6181c014aae84a09b9

SHA512
cbe117fa78c9f4ea6169378d8a585e4894d2c51a4588c07f999b88423078b5bbe407354847396f9b9182f0b3e910be63b7488bc42449354daed41e9805d59b2e

Download Submit
C:\Mint8K\optixloc.exe

Filesize
4.0MB

MD5
9f9bf06e6db6a03cd081cb886541ba5d

SHA1
543385e7b2589620e20d4bf36973f224c71bc1fa

SHA256
79a960957fed054a3f3593490c49f047457961e223ddcde8d693f64d8cdf352a

SHA512
cc9b0b53be53eece3d4cffefac6917f7292f62ab0a0b91219548c298c8599228f986c80bdd831a6fcaada2ed1500c66dd342e7b84384e798a71cf59b90212897

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
2948115787502e0c67e207d193133307

SHA1
b46729b88e449c5f6bbbfe14b4df39abcadd8adf

SHA256
8f5b90207dbd07892c957f9ded6c24082ae8df58dbb74bbcc4f7decccd40c705

SHA512
bf27099835399a0fb0324841225d9963cf94a7b69979667b5acd946ca141c59a613758f1b928124b7d0577b3de4befdbacba13c0b03d3a6365577d7f68773724

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
b7c65cbb8aed8c519ba39655c6d6fc16

SHA1
0f89875166e3a79669464ff3e9abb4d226e058c2

SHA256
1f8cbb2ededffb99087b51b655298b9db4eab37dc56fd7eee53ac86614db526a

SHA512
77a87ffd14ab03f813344d32de8c4a413a1979dd7d419cbff399716df6e4484f03161ffb9ac73d11207c7926ffffc4f3f8c25a5272d9b6261694e263b668d7db

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
4.0MB

MD5
3787f3cae92085237f8c1be899b45ced

SHA1
8b358302f36cb89c558e35b52fde1d3ec6b382a8

SHA256
e599215d25cd11f20841d016e8fbc3270bb4f7bb42e742dd5aae8d4d13d662c7

SHA512
30791ecb3d9ebb9fb253d4dbbcb9a65bb0ec91fc895defca14457375751daa570b199ed5f6fadabecd49ec32fb52bc22edc87eb79b50958729218f688c0f0f0d

Download Submit