ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
Size

4.1MB
MD5

378c6ab3c3e71ac7d5539c32c295c9cb
SHA1

7ddc7c876c17b7d8d1474bd91827ff9f165e82e3
SHA256

ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6
SHA512

36df82cc81143dff7e672d7971362853148b3b895999f696c536d8b783ee9c4cf1b51c26e003129aab6d03e6c55e6aea45f74d2bda30812ca3f891db4f0d620c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp5bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	ecxdob.exe
2900	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ9\\xoptiec.exe"	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5H\\bodxloc.exe"	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe
1748	ecxdob.exe
2900	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1748	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	28
PID 2052 wrote to memory of 1748	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	28
PID 2052 wrote to memory of 1748	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	28
PID 2052 wrote to memory of 1748	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	28
PID 2052 wrote to memory of 2900	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	29
PID 2052 wrote to memory of 2900	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	29
PID 2052 wrote to memory of 2900	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	29
PID 2052 wrote to memory of 2900	2052	ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe	29

C:\Users\Admin\AppData\Local\Temp\ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe
"C:\Users\Admin\AppData\Local\Temp\ea42bdaa4ea83af02de640a99df3a3b8bd51fa1a7a4e4512ea0f006d8dc52ca6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\IntelprocZ9\xoptiec.exe
  C:\IntelprocZ9\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZ9\xoptiec.exe

Filesize
4.1MB

MD5
4311fe484eea5c291892dd62ee4296b0

SHA1
5c2b1f847802ddd5a058ee930b96b10ad5abac8d

SHA256
7a18be9e8b5479353070ec2826d583b00de15b5a17615af23fe1fa9e31d0ff4a

SHA512
8cdcee7275b5724f7c52c686d4661c804da2b90d41b9fa2f8e50495dec68a58dfad93e1a8da59ffb16f014e238f86e43c701e2071979b515c35d3fb01631fc8d

Download Submit
C:\Mint5H\bodxloc.exe

Filesize
2.2MB

MD5
2da77210e91caf501ae8eb7a5058c09c

SHA1
f2be9fd67bcf4c1234d9bfa599579001b8cf3455

SHA256
295ec0cb5a00166834dd44e29cce930cf4c438e7416afa7da9b454d92aa1811e

SHA512
04d9099feee74e76c2253213f56ce62d4105e01080d0f01d2f0f29b7c87f74ee830bc01ab093373052d8190ebe2f0c884c36734831ce4987f6c28f51d4daf026

Download Submit
C:\Mint5H\bodxloc.exe

Filesize
4.1MB

MD5
70e1c8eff47feddf3f514934c2260b72

SHA1
325b67fd2e9b884053fd1dd4113ec16f22dc452d

SHA256
d025989ce2f937e570c112f5022593b62bf20a194daad27cb54a9e4afb75922b

SHA512
9725500403f6c89dfa719e2939bc9c7cd210c8ec1c7d14019a191b099a8fa4a8094a29a0b4695101f66e6faf47ccce21d8a2fa5a45b4ddb37f5b39b18233553c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
b6eb06716a00563393557b9fc7c1c6e1

SHA1
bf6f51ac9c31c7563893db8b6753ddf2be31c58d

SHA256
696d93ad82c42ddb11677cc38d7de4313bc708f46541f3058d4e1c3bff5ab3d9

SHA512
903420bf22847d935578363e8685bef39041e79fa35b298bfa937cb887856144de50134ba5ee8646c313e340ab1af0281c5979b006bcbb71f92b6688e3b5e069

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
aff9729dbca8e9ba7159d4371600e150

SHA1
10625091665e8de3ec6258c2cbdf7bf8bfead577

SHA256
b8f44d90a1ef69b1b964a4d0bd43cf6990d568497d5973c48a99386a3958b2c4

SHA512
b8056f05ac5b421cb4fdecfa25118b82f4ed5df2e02f6c0afd9be7b8b281a3fe94173eb6b2f0944064497a58dbbd2602ae1fe4fa94d700c9def92a755fa6b7de

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.1MB

MD5
a5e68f886ec46dd8992e7cdfcef98780

SHA1
f442c6acd4ee43995de17a5bac0e3c8f0e067cfc

SHA256
f001e509f87dbe72be3e3e9f4347d09f876a076bab272e7330539dcf09c3d4b5

SHA512
0cb126745496e36c455c320c3dc2ef58b23a1b9cb50cc6b247859a94d3603ce144e31297a816b6c034ffeba117e1c4c35c2975cd24d04c8759c06da6f95de15a

Download Submit