8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
Size

3.9MB
MD5

0eae1360ffb680bd777bf150669f04c6
SHA1

eb972b730bbf4a8f21f5e3fc0775d1c57a1f5e4c
SHA256

8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175
SHA512

a2987f69ab528a230aeb53d807dcc352d8574abf9c478ba859de1a67333d3e4dbc18cc7b75c2889a82357990e7fcf413c688c1767f2997d8f87dd83f978f246f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe

Executes dropped EXE 2 IoCs

pid	Process
2480	ecadob.exe
2936	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ6\\bodxec.exe"	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR0\\xoptiloc.exe"	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe
2480	ecadob.exe
2936	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2480	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	28
PID 2256 wrote to memory of 2480	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	28
PID 2256 wrote to memory of 2480	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	28
PID 2256 wrote to memory of 2480	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	28
PID 2256 wrote to memory of 2936	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	29
PID 2256 wrote to memory of 2936	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	29
PID 2256 wrote to memory of 2936	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	29
PID 2256 wrote to memory of 2936	2256	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	29

C:\Users\Admin\AppData\Local\Temp\8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
"C:\Users\Admin\AppData\Local\Temp\8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\SysDrvR0\xoptiloc.exe
  C:\SysDrvR0\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQ6\bodxec.exe

Filesize
3.9MB

MD5
f3986e426d62a83351c4a8bb7b0e7f35

SHA1
25fd1252fc534d135a685f3bbb71aaaae0e42820

SHA256
96947b5994c85ce802b637409e156d49385b88e2c32ab81880fff2400f23550c

SHA512
79083c19c4e8c639af8a6dcc51339cf5b4ee1cf43f8a8798ce2e77247a950e22a30c0420630d8600e2044c20d71106d7d0258100c908437e8aa7ab493227fe3d

Download Submit
C:\GalaxQ6\bodxec.exe

Filesize
3.9MB

MD5
0a964f3851c242d42e01c9e3f145290f

SHA1
2131ae49eb7804304d2f31058b48e7921c78fc6f

SHA256
5a9ad4b5123c803ac8312830f6dfe92f1777a57e47e7a7163f94b71744c1a7bf

SHA512
3891db6c0b7614dec7e81bb1bdfae857a05e5b31965d398ddb01055d0ef67750b7b2b798c91f9069f321b021a67e4c404d3dbb23b1488f8e4d8d1a29adb7b800

Download Submit
C:\SysDrvR0\xoptiloc.exe

Filesize
3.9MB

MD5
7c002a3f8da1b53358c7b7a26249b6c4

SHA1
75e8e46b6c43a46212be9fe35a48d2fc22bfedaf

SHA256
fef36af296a0615d7e53de814bc3a1b40bd1e1fa769bacfee3fed7c56f4d7179

SHA512
5dd711ba4381ee11a2474384d62a65e1077e10f0051b588046c9ffabccf10d1edd9cce458b09cea084ca0744243f2fc7863fb13323a9ada6d9f7393191cc0928

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
a4e4336774dd11c3f84ed8c6eb866ef2

SHA1
a893c601a10966a5dd75daa171cc46b011d50b64

SHA256
3e238fd5b0ca1f34279177649348ab23ce7717bea3a76efed83830f9866fd147

SHA512
4aa9c4ae958ce6e2feb745509e943fa4597f9553154dee3a9a377585917b20060f9fd2a8e3c353caf394c903a66f72ccfac1bcb52900c10d81005a1b9d2e8c9c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
c4e1f855fe290c31a245a9aeec144fa1

SHA1
6261511b5e555251ec1e22373a07e5c02a318703

SHA256
0603ca5d41c78e246825c3c0eb6ba9c6cfefcd33dffed6509db33176e6cdde1f

SHA512
b4c404a3b6a46ff4b666ce57919f2636d1f56310a1322bbf93026bd7a51f290e4b2d5010a359e8abe9af1fa66c5a01ac4fb93a4187798718b7b109bc599d88bf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.9MB

MD5
b9bcbe32015f3d79e42d616918d5b399

SHA1
4749cafd80dcf02214230b1830a704312d3bd6ba

SHA256
0b1927cc64b0030d1db17105ff3e7f0b73f069c4362ff5e4cf48fa0cbd9f1926

SHA512
6e1b5f3bea89a60a1c48906f52f8f323192e9f3443beb1e9e69579d34453e1b74a80f78ee17847613754661ab8cafa603e2e91876122837df1497933cd528be8

Download Submit