Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
Resource
win10v2004-20240426-en
General
-
Target
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
-
Size
3.0MB
-
MD5
8d3bfc534b1c71f59199aba85b65bac3
-
SHA1
ef44e9b409ae23a5377d21d740d53f9d5c83d089
-
SHA256
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7
-
SHA512
8e040e9c74a8e2c1e628827b5286a78ad5f827e0946a696f2da9c2e4249afa1d2881daeda0ff263ef50cf7b47c5428b7049dc78653e9630dd5e2abd9765b3f03
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exexoptiec.exepid process 1540 ecaopti.exe 2876 xoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLO\\xoptiec.exe" 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGJ\\optixsys.exe" 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exeecaopti.exexoptiec.exepid process 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe 1540 ecaopti.exe 1540 ecaopti.exe 2876 xoptiec.exe 2876 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription pid process target process PID 1992 wrote to memory of 1540 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecaopti.exe PID 1992 wrote to memory of 1540 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecaopti.exe PID 1992 wrote to memory of 1540 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecaopti.exe PID 1992 wrote to memory of 2876 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xoptiec.exe PID 1992 wrote to memory of 2876 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xoptiec.exe PID 1992 wrote to memory of 2876 1992 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\AdobeLO\xoptiec.exeC:\AdobeLO\xoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
647KB
MD58e458a49ceaa667b0f7a6c1213d45da2
SHA1f9c6f5d957b23a946c8802831b59fc1297642f28
SHA256595c7e51c8954750e727e540bcc43438aa237a6377de34aeff2a1e1c92e3e9af
SHA512a34f92114b37adb22362112a671af58e8b24b349ace371fcda3acb33ca711174288b6e56275a561e13d38c605ce614bccfa2c87a063e1ef9be8f7641e558dd1b
-
Filesize
3.0MB
MD5eba5aead78b461fe7accee387336e3c0
SHA1e7f507d0e353d4fe3bd131bd7ffeb5cdf0804669
SHA256375b3458d512eee3e2d49c4874cc94e3f5fb6ab7063591b5348386fd10e24786
SHA512d403f6b26e293c1823d1da1185d4f2c2d3765e034d126c38e82342e1a61cb049b77cb74b4cd1e5ee1cb053272543e0c464e9bb08a38fd7b12234281612755af1
-
Filesize
246KB
MD5213ea1dba977cfc4323aafb5ec838b70
SHA12ac556ce3aa3363b198683beb75a696aa6f0059f
SHA25645d173ea065d141d402a5fb7783ff9888832b4dfffd2cd65c87ed9506da4881b
SHA512b6ee4a920f76ef9bc21210ca99cf60307b97e4e114d42ddaa62e4dbb6ad5289f60b09b2db0c19a279243f869cc00ae07fe2d2132c6c30bdb91c92950450bcc21
-
Filesize
1022KB
MD5fb1771b1763b675638fff2dd51e268be
SHA11528bf41cfdfc652b205db7120038c9bc2adb8d9
SHA2564775743f6d0eaecf71bd18018b77ab9d7c20487ad8892a736b1f4053eab88abc
SHA51260f0a71e544e9189cefb1c8ce36d32dda0ebf89fcef08263b23e2c8ecac2191bee465364707656f41bb440a8b174382d9733dceae6afba885108fad74bcab691
-
Filesize
202B
MD5d8edc6807296c7775369ff858ed464fa
SHA1ea9fa858e275ae564de272d1053cabd05c2b3f9b
SHA2567b8b272f329ec28cb7d5b3596e26b9051853c702941230f37953f90389661d25
SHA512c1388a0c5aa84291b09c40e80c6f8a7eff3112aa9115b930903e83478cc3c978349b51fde1d8fa51f18aeda9d3e645bdb1e17fed4dfc1f0b71b1275caf67d5f0
-
Filesize
170B
MD56cb1ac5e4cea64c37247e4945fedec42
SHA1aa29600b765f7afbc8994fcb6ade70c4e9fe7451
SHA256b4ac19437dc5b4757fde53dddaa90fb909e4d05c6c45f5b07a52e0e8a59d36bd
SHA512ea278aa7dd9eeb0a1fd4f2c51ea6b19280af518129f5eca43e1013c7e59b8e66a20495e7359a7315952360dfd39b791e49d4c24b60e2b4ef9edc761d3b2007e9
-
Filesize
3.0MB
MD5c71f789f208fa3ab82a6c019d6a4f0db
SHA19422f9da89d51debaa34928bcf739b8c526f6234
SHA256c38d052ceaa204a8420bbd2bd61b46740f0abda0774d70b23b68e35ffac68cc3
SHA512fe3b90f04d0064f0efebca91bfe156a12ed9a2c38a00f362c5b77cd689a9ccfb3f02558e5bb4480ce97362a403c89283863f299041945a183523921273ebc425