Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:36

General

  • Target

    f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe

  • Size

    4.1MB

  • MD5

    05f4d5e7cd958137428debf26c8fbb32

  • SHA1

    a65845a9094d8e7f04011f7cbefafa417707eee6

  • SHA256

    f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30

  • SHA512

    53f28c3295a3d8045a3c420d2cbc307e7246b79b41d2331991d793be14546bc0d6e85426e283c2a00747080c0ebf6739924ed73c6b848c2dbcacaf3a27703a05

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
    "C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2864
    • C:\AdobeCT\xbodec.exe
      C:\AdobeCT\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeCT\xbodec.exe

    Filesize

    4.1MB

    MD5

    e40103673e08865e6e8aa189cfbe7479

    SHA1

    fd5e7c4052e78fada152fc6ec1ee7d857b2a3e79

    SHA256

    69d1053f255b3ec2e06fb215a1798f5c5c107f19057cf4dcadf3fbe01db82059

    SHA512

    d13b557197226e9c0edd8a92d0350770349d6bae663dd7387a606f7bd2321577a86bcfaf331492bedbf976b7d7e0d0c0acb23e3c4f79ce6946cbca4118e60f99

  • C:\LabZ9X\optidevloc.exe

    Filesize

    4.1MB

    MD5

    da101d88f68648cf22dc794ed281a01c

    SHA1

    e7352c880606814215c0706e897a264fb2e32c4c

    SHA256

    c575dac5b9b32b25a9c7d59cb29869cb0c92dd91465e5eb6c6194606eae1d0c3

    SHA512

    3725536b5106e7902f271015df5d0a7dc567bd66e202e50eede885373a1b08f587bfda9e3a82b0f8ca563b2ea22f09e2cfbcc43ce565337092d44dd53e0132b8

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    e5a421e532d9b99e98b8b2c840eed54d

    SHA1

    04b69dad6fd98479a0cf3ba6e5fdeb14812a0bda

    SHA256

    b13132ee2909b98982bfd58faf5ec68ccce3e178ccee0a79eeb5e8e9ad877b55

    SHA512

    5719955228792a542d3d76c322d4a8f6ed2d9e2a52950c9ae87916b5a36a8b06a632a4753d28ed7f1ff4f0db584c013ee9d64245a5a57849346ec13e5ba82b48

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    f6419c0c31b458651c739d68d4c0b2c3

    SHA1

    8b0c10ac12893eac70171f8791a1584cd2b81f13

    SHA256

    c739cef60b29a2e17d416e31da1cab2427cfc42b287dd085cbe683b36c89f3f4

    SHA512

    87182dc2803da245577eee16d82b062dbb10639c3859cf63c883305a83853d9a4414671089ce2ad74fa392cc0e8fb503198dd7bf1c667716f7873a58ebb4bbae

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    4.1MB

    MD5

    7ed09b0587afa0abcbccb2762425758a

    SHA1

    4df0ed4de4d49e4823f3cf5d81ba1ca496b00c7d

    SHA256

    80272d04a7cab72013e6a026d4a2aaae4060f6d0351f021643686e7ca29838d9

    SHA512

    62626889ff87b49b3d570bff16754afb96baca0684118e4770656030e56904d9b84d0a59db84e4da42d3337d8b049b751e9f9e6ef7e4c3d59e069e28773d0347