828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
Size

3.1MB
MD5

392d5bf8eace3ed628b749c341256133
SHA1

7da6abf1470174ba563e4d7bd2436fd64b3cabc8
SHA256

828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75
SHA512

7c92ce30443f7d3d57688fff1d5d8f4dcecb6eb2d3ce1871aaf9245552af758cf1a86f9a9c1deb33a016931741fcb611dc862998aa2bf6402fc1d0bb5cb9379b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpXbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe

Executes dropped EXE 2 IoCs

pid	Process
2076	ecadob.exe
3124	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXW\\xoptisys.exe"	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAY\\optixloc.exe"	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe
2076	ecadob.exe
2076	ecadob.exe
3124	xoptisys.exe
3124	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2076	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	88
PID 1404 wrote to memory of 2076	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	88
PID 1404 wrote to memory of 2076	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	88
PID 1404 wrote to memory of 3124	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	89
PID 1404 wrote to memory of 3124	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	89
PID 1404 wrote to memory of 3124	1404	828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe	89

C:\Users\Admin\AppData\Local\Temp\828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe
"C:\Users\Admin\AppData\Local\Temp\828264dfedc47bdabd05d6cc3a4d7045649b207ec6a22c98d06a8d65d85b1b75.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\IntelprocXW\xoptisys.exe
  C:\IntelprocXW\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAY\optixloc.exe

Filesize
275KB

MD5
aa7af10f0c4291ef3fe397b3cc565138

SHA1
a7273b9dd2af0cc127f4662216f736d320d2c1b9

SHA256
cee556fdcc765ecd9c3e6508bb76037cbb6a2064222451ccb2fa21ede1e88543

SHA512
f40811cd28f8639fb608573a81d2199500498265c2e1a43513b785a5acf14b0d0b3ebe9eb111216877466b75b8cd559a517b68f2c4796f0b240611c900c861b7

Download Submit
C:\GalaxAY\optixloc.exe

Filesize
3.1MB

MD5
cad122f95b84ef251971e2809fbe9f90

SHA1
27b0549f4cd566008dc697771c360310811a1228

SHA256
fcc765678c83fcc3af53ecab0b14405ef21777993bb768847611b06261c05371

SHA512
cb70eebf2a762e8d2627a681d9ec5af6e119ad27dbdc334f82fbff2a0f717af69fe2a2040055ce98ad17ac1ea18abfefec20d447f90e94d092989ae80deb8d3b

Download Submit
C:\IntelprocXW\xoptisys.exe

Filesize
1.4MB

MD5
e56b2979d30bf9b99bddbfe413797648

SHA1
fa65f7053775b6774ce3dca06246b76763e4061f

SHA256
e5533dcb1571107e7c4d034d8cc5574de63a906287f436dc10c28fd20bdc176a

SHA512
7649ccfa1c40be5a2162240c386b2e3019840d9a701a538eeff11dcad3e9ea97b3ebb38e06c2d73aafd0d2edd50b33b1a453708ba1310dabe6f87ccf80ed727e

Download Submit
C:\IntelprocXW\xoptisys.exe

Filesize
3.1MB

MD5
fed6e453deceee414b9dd8575ae1be01

SHA1
d9a0f6e0e336f86896aac8e79cf63f7b3ece3ff6

SHA256
e65ba8ddef5c9d0efa18051e00b62eb811915980a19b1f9baca6aa97592e3242

SHA512
a38d56bb9a3a5e4481f4e216cf8f3be59c34321db6f74fd7976b5e0d3cc3fd5ef45819446bdf7a9e9ea36f77ed3662f1e11eab9baec298a5dc28d661f524a748

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f4fe34adcca166764520a25229b42e7c

SHA1
c0dfba52b5c6fd8c709594933ad055aebc703213

SHA256
d2b08d34569df74e6f6baf7985f8e42bd598cbf0886884999188d708ec413ffc

SHA512
ba8c2e2de262c2df776d807effea56970a73fb120197e9ccb86bb30f894cc004b1a533410c5212d6ff1815ca607dfa5855bc93ae8611c741ca425fbb467af942

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
b000e32765f84cff363329643efae30c

SHA1
c10aca22eec256dc5aa0c96bd01c770a744cd782

SHA256
2c8ef306bb4cc465aef1e28ea60044b3003c047d3d6d8c2586d348b8ba4730c6

SHA512
7c08330b50fcaf61ab51de1cf3ba1216e772fcb7250c80ce7a237bdade60a73aebe7d542ea734833253c433e5f1252fc7b5c2f984346a7c8179857c6a807de3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.1MB

MD5
52fa259721c1796084c3af083d61bfac

SHA1
8965edc81ff7bb588d2af3f47e1eb1b776469f70

SHA256
b3be10e72928a45325e96eece8429fcb1f2adc4b36077cdb3c88a9797d23f252

SHA512
548173971bf62da84427c8625873cd4e730457e2827d670515f7f61c9dccce033b16bcc81c139a502e6f7e6f37c203ba41f24192ed2015b254c14084bc8924e2

Download Submit