Overview

overview

7

Static

static

3

fc11d70259...b0.exe

windows7-x64

7

fc11d70259...b0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe

  • Size

    3.1MB

  • MD5

    4b0fd7f1f83364b5982979d896097f42

  • SHA1

    8cc746c1d1685897375b4045e95707dfa0d4117d

  • SHA256

    fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0

  • SHA512

    d6c0354a28134668e1b29ebf133831711bc1ff67fb01571b3083189f46bfcfa62061870dfbeb93deaf363d4eca0d7fa34c9f813427241f0aca8ed91585503665

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpUbVz8eLFc

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe
    "C:\Users\Admin\AppData\Local\Temp\fc11d70259730c33bc40397241af7509e6a784ed5cc144428626300310ca87b0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4912
    • C:\FilesUE\aoptisys.exe
      C:\FilesUE\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesUE\aoptisys.exe
    Filesize

    3.1MB

    MD5

    dee0a31a26b288737278ccbb47135d69

    SHA1

    0844853c2920568c6aa8f3c5e7e5964bf770c150

    SHA256

    0901ca12fd256223b0ef9a3e085e69ceede7e0953a6e8a617614cb988045a915

    SHA512

    8c17a521a8e5307816c726d6b29c2760c09112cf0ea3a134080ad31eb75d1b5e0f7b7f09d890211ca7700946e1039336fc3c99da96eb2f003b1f546ee6a07623

    Download Submit

  • C:\Galax4E\dobxec.exe
    Filesize

    3.1MB

    MD5

    a8e2d43b2ce26edd20fd3000f27ae7cb

    SHA1

    71ef98e7d9d6ab91f49bef9c521fe43658d1568c

    SHA256

    78b13b73cf09e48d5d09899b7783d442f975138089d0e0d2750917928a0af7e0

    SHA512

    9aca6709a9c2b11aba239c16ed158a21e37f3b0bba40da374c89f4482f5f7f5e652357fc135fa559229783c2f657cf7ce8e470f0b72d30c886929b075ea4fefc

    Download Submit

  • C:\Galax4E\dobxec.exe
    Filesize

    3.1MB

    MD5

    a64135406b9e02474f96970e384e6e2b

    SHA1

    a2ee47dd12061459e403ed6976d7bcb0ac367ec7

    SHA256

    73e1e1b2e8b636a95b1b4fbb02ec3ed674c3110b74d777e87d54cdc10bd27084

    SHA512

    9696f97e969f0c91cc1f4d19d136dee6a871d8521333db78303ea09e89d7375b7c71cfa74114a5a70a95d805a33d7668bbb1b5daaa13e437e98a9184098861ff

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    201B

    MD5

    ea58d40845b8e797fb3cbefc4eafbe8a

    SHA1

    a9132e3bc8ea26a19ef423d572440544b47cc593

    SHA256

    268d39212b3b88739db76d2b3d1f92f2b6b92dd92dc7fb6f61f083ab0c81bcb9

    SHA512

    5854d37755e05d76c49faab07c05274589eb8df14dae92aba5c956b1d335d5a201323b0684c3a5a8b654c76200b6865f16cb90eb18969fad1b0e24e587dd2c57

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    169B

    MD5

    5dfe1a4abc94c3ca155a2cb8a5d4b58b

    SHA1

    54adf2acea83fc203ef98cb7df35aa8ee87e83db

    SHA256

    4b8535a48876697c0eafc23ac6c3d04f4888e7dea462cfb4d44dc5eac4a62dca

    SHA512

    3ed3b303fd7644d8f511922b132d29d2e02ecb159ed0eca7ecbe7c2530c965882681ca448e316bae63261972046ec8840d34f347cbcec49da1f85cf4ba1d48bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
    Filesize

    3.1MB

    MD5

    2ceb84aacf6600612270c2b0aed3c8d3

    SHA1

    a566af19d60f56d48c259ad92cbd22d588b0bb6e

    SHA256

    82229dd71dbd1384249963a01cbdce9a09074c3b01bbda6eef17e4b006a9f6d8

    SHA512

    0d78d859e8dde37e4267c0305fc2fc6daf4215063f21c48d71d7b5eacb79ee70b105296f73911d9ec3b18c9be5958d6d6df4bf58d992e098f691f7ad8fae67db

    Download Submit