Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:34

General

  • Target

    f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe

  • Size

    4.1MB

  • MD5

    8f466d4abf03a5d6f4e88699db920637

  • SHA1

    9664af2358342eb7baa0ed5b8596faafbc570d21

  • SHA256

    f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680

  • SHA512

    e760c6348b5b6775a31a4c6b73572c5a913e295c3f7f8ab9e5f9a3fa0b0b41b3631f298bb1126654b45217c3c47901b9b5d9fd99fcef754abdaa13ad5a871e36

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
    "C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2220
    • C:\UserDot0L\xoptisys.exe
      C:\UserDot0L\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxEJ\optixec.exe

    Filesize

    4.1MB

    MD5

    f6afd58e964bd184b98e7b4b7b0d7bb7

    SHA1

    e76a55acfa21b3bf7cd8c5c9a8fb7163a10db4e9

    SHA256

    50a43fcaaba5716ea13e9b58b0d125e54ee307663a83f96a9747dab2ec15770e

    SHA512

    6d79597d2ce1d13afbd0d953f476084c1b0db9c863c5654ec9aaf4a9d2c12965addbe718669de867b9b2ebf2249e2619a92be73b72491d15d2e98b81929d5977

  • C:\GalaxEJ\optixec.exe

    Filesize

    958KB

    MD5

    8f10995e7ba79fb561a1a501b0ea8826

    SHA1

    a7e3ba05800ccb38488de1d43736080a11f46c95

    SHA256

    80290ef0158e2b4592cd26a62ffb9719486a26690decb51ea60accda24934f86

    SHA512

    a3948d58ee3a40cc19141eadc162c64f4b9b48b02a12364f2d4488af88de5695f03e1c51b4391b20396c6c7e03424b3e8d0dc21424a1a2b8d60a2243d8f8d75d

  • C:\UserDot0L\xoptisys.exe

    Filesize

    4.1MB

    MD5

    44b433a678f0d853e7e4a38a0be04d31

    SHA1

    8e911b33f8477d6230308b864264fa87c875a2a4

    SHA256

    350dc3c5d210bb22d013d0104c7a327d5f76c1188644d61e06bd79b55d81f2dd

    SHA512

    b66137809c3e2eb95045b5d0f2f60c257aba5844e83c464bb5e580077c3886669f99090ce9a88a55b40b5a49c0aeef52cad8bc15492941f6b672c03fa5bf0262

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    3880210d0a9a23b45e57d99801dd2fc0

    SHA1

    c83602f0bfe2882d617918129294510f3fc32cfb

    SHA256

    01b95bec783b0edd900008ee5853b88d1212aa583a322ff2432d505a11ca304e

    SHA512

    c5e1f3f93b78090f4067da19b1fb75a0cb373b62cb0d78bd2a09002ca62bdeca33719859cee351de3b8013be7d697cd30ef07399d41a1c6a398672460adb9e22

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    b44b6c0dca4e319e51674fc8b289e274

    SHA1

    c8aab03f5acbb106f3a5fa3ae9b3b0a922479b05

    SHA256

    4ee077e28488464dd3927b0c91cb1e8b0da3bc657b444b5342e939c8dd835c46

    SHA512

    5e3f0d12cf186ffe097145efc8263220affcb424c56428a7cdf056a45d9a28f5a053d26f9d287c6e8474db38e548fbe52f362cabe29e29957ac46779b33493e2

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    4.1MB

    MD5

    b3657bc7ee4cea6ae79dac4fd56ce38d

    SHA1

    8415ac237454f5273c9e9d4a3ab91b95c37e17f3

    SHA256

    9fa4bc36f28d9eb185938fe775e75d7258b8ffa8d95985beea338b1936dd472e

    SHA512

    7704607788d9a47b9f7d4f037461a10c1b9c232f50cb5bc3fa715cd5638f0a5e567e4575c99dd5d084e78bff50f2787aa51931e140df212acf1690d153c9fe23