Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:39

General

  • Target

    9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe

  • Size

    3.0MB

  • MD5

    8d3bfc534b1c71f59199aba85b65bac3

  • SHA1

    ef44e9b409ae23a5377d21d740d53f9d5c83d089

  • SHA256

    9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7

  • SHA512

    8e040e9c74a8e2c1e628827b5286a78ad5f827e0946a696f2da9c2e4249afa1d2881daeda0ff263ef50cf7b47c5428b7049dc78653e9630dd5e2abd9765b3f03

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
    "C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1540
    • C:\AdobeLO\xoptiec.exe
      C:\AdobeLO\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeLO\xoptiec.exe

    Filesize

    647KB

    MD5

    8e458a49ceaa667b0f7a6c1213d45da2

    SHA1

    f9c6f5d957b23a946c8802831b59fc1297642f28

    SHA256

    595c7e51c8954750e727e540bcc43438aa237a6377de34aeff2a1e1c92e3e9af

    SHA512

    a34f92114b37adb22362112a671af58e8b24b349ace371fcda3acb33ca711174288b6e56275a561e13d38c605ce614bccfa2c87a063e1ef9be8f7641e558dd1b

  • C:\AdobeLO\xoptiec.exe

    Filesize

    3.0MB

    MD5

    eba5aead78b461fe7accee387336e3c0

    SHA1

    e7f507d0e353d4fe3bd131bd7ffeb5cdf0804669

    SHA256

    375b3458d512eee3e2d49c4874cc94e3f5fb6ab7063591b5348386fd10e24786

    SHA512

    d403f6b26e293c1823d1da1185d4f2c2d3765e034d126c38e82342e1a61cb049b77cb74b4cd1e5ee1cb053272543e0c464e9bb08a38fd7b12234281612755af1

  • C:\GalaxGJ\optixsys.exe

    Filesize

    246KB

    MD5

    213ea1dba977cfc4323aafb5ec838b70

    SHA1

    2ac556ce3aa3363b198683beb75a696aa6f0059f

    SHA256

    45d173ea065d141d402a5fb7783ff9888832b4dfffd2cd65c87ed9506da4881b

    SHA512

    b6ee4a920f76ef9bc21210ca99cf60307b97e4e114d42ddaa62e4dbb6ad5289f60b09b2db0c19a279243f869cc00ae07fe2d2132c6c30bdb91c92950450bcc21

  • C:\GalaxGJ\optixsys.exe

    Filesize

    1022KB

    MD5

    fb1771b1763b675638fff2dd51e268be

    SHA1

    1528bf41cfdfc652b205db7120038c9bc2adb8d9

    SHA256

    4775743f6d0eaecf71bd18018b77ab9d7c20487ad8892a736b1f4053eab88abc

    SHA512

    60f0a71e544e9189cefb1c8ce36d32dda0ebf89fcef08263b23e2c8ecac2191bee465364707656f41bb440a8b174382d9733dceae6afba885108fad74bcab691

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    d8edc6807296c7775369ff858ed464fa

    SHA1

    ea9fa858e275ae564de272d1053cabd05c2b3f9b

    SHA256

    7b8b272f329ec28cb7d5b3596e26b9051853c702941230f37953f90389661d25

    SHA512

    c1388a0c5aa84291b09c40e80c6f8a7eff3112aa9115b930903e83478cc3c978349b51fde1d8fa51f18aeda9d3e645bdb1e17fed4dfc1f0b71b1275caf67d5f0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    6cb1ac5e4cea64c37247e4945fedec42

    SHA1

    aa29600b765f7afbc8994fcb6ade70c4e9fe7451

    SHA256

    b4ac19437dc5b4757fde53dddaa90fb909e4d05c6c45f5b07a52e0e8a59d36bd

    SHA512

    ea278aa7dd9eeb0a1fd4f2c51ea6b19280af518129f5eca43e1013c7e59b8e66a20495e7359a7315952360dfd39b791e49d4c24b60e2b4ef9edc761d3b2007e9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    3.0MB

    MD5

    c71f789f208fa3ab82a6c019d6a4f0db

    SHA1

    9422f9da89d51debaa34928bcf739b8c526f6234

    SHA256

    c38d052ceaa204a8420bbd2bd61b46740f0abda0774d70b23b68e35ffac68cc3

    SHA512

    fe3b90f04d0064f0efebca91bfe156a12ed9a2c38a00f362c5b77cd689a9ccfb3f02558e5bb4480ce97362a403c89283863f299041945a183523921273ebc425