Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
Resource
win10v2004-20240508-en
General
-
Target
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
-
Size
4.1MB
-
MD5
05f4d5e7cd958137428debf26c8fbb32
-
SHA1
a65845a9094d8e7f04011f7cbefafa417707eee6
-
SHA256
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30
-
SHA512
53f28c3295a3d8045a3c420d2cbc307e7246b79b41d2331991d793be14546bc0d6e85426e283c2a00747080c0ebf6739924ed73c6b848c2dbcacaf3a27703a05
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exexbodec.exepid Process 2864 ecaopti.exe 2504 xbodec.exe -
Loads dropped DLL 2 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exepid Process 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ9X\\optidevloc.exe" f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCT\\xbodec.exe" f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exeecaopti.exexbodec.exepid Process 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe 2864 ecaopti.exe 2504 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription pid Process procid_target PID 2676 wrote to memory of 2864 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 28 PID 2676 wrote to memory of 2864 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 28 PID 2676 wrote to memory of 2864 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 28 PID 2676 wrote to memory of 2864 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 28 PID 2676 wrote to memory of 2504 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 29 PID 2676 wrote to memory of 2504 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 29 PID 2676 wrote to memory of 2504 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 29 PID 2676 wrote to memory of 2504 2676 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864
-
-
C:\AdobeCT\xbodec.exeC:\AdobeCT\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5e40103673e08865e6e8aa189cfbe7479
SHA1fd5e7c4052e78fada152fc6ec1ee7d857b2a3e79
SHA25669d1053f255b3ec2e06fb215a1798f5c5c107f19057cf4dcadf3fbe01db82059
SHA512d13b557197226e9c0edd8a92d0350770349d6bae663dd7387a606f7bd2321577a86bcfaf331492bedbf976b7d7e0d0c0acb23e3c4f79ce6946cbca4118e60f99
-
Filesize
4.1MB
MD5da101d88f68648cf22dc794ed281a01c
SHA1e7352c880606814215c0706e897a264fb2e32c4c
SHA256c575dac5b9b32b25a9c7d59cb29869cb0c92dd91465e5eb6c6194606eae1d0c3
SHA5123725536b5106e7902f271015df5d0a7dc567bd66e202e50eede885373a1b08f587bfda9e3a82b0f8ca563b2ea22f09e2cfbcc43ce565337092d44dd53e0132b8
-
Filesize
170B
MD5e5a421e532d9b99e98b8b2c840eed54d
SHA104b69dad6fd98479a0cf3ba6e5fdeb14812a0bda
SHA256b13132ee2909b98982bfd58faf5ec68ccce3e178ccee0a79eeb5e8e9ad877b55
SHA5125719955228792a542d3d76c322d4a8f6ed2d9e2a52950c9ae87916b5a36a8b06a632a4753d28ed7f1ff4f0db584c013ee9d64245a5a57849346ec13e5ba82b48
-
Filesize
202B
MD5f6419c0c31b458651c739d68d4c0b2c3
SHA18b0c10ac12893eac70171f8791a1584cd2b81f13
SHA256c739cef60b29a2e17d416e31da1cab2427cfc42b287dd085cbe683b36c89f3f4
SHA51287182dc2803da245577eee16d82b062dbb10639c3859cf63c883305a83853d9a4414671089ce2ad74fa392cc0e8fb503198dd7bf1c667716f7873a58ebb4bbae
-
Filesize
4.1MB
MD57ed09b0587afa0abcbccb2762425758a
SHA14df0ed4de4d49e4823f3cf5d81ba1ca496b00c7d
SHA25680272d04a7cab72013e6a026d4a2aaae4060f6d0351f021643686e7ca29838d9
SHA51262626889ff87b49b3d570bff16754afb96baca0684118e4770656030e56904d9b84d0a59db84e4da42d3337d8b049b751e9f9e6ef7e4c3d59e069e28773d0347