Overview

overview

7

Static

static

3

2650c3bfb6...0N.exe

windows7-x64

7

2650c3bfb6...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2650c3bfb6a3911960976c2bd8b46ed0N.exe

  • Size

    4.0MB

  • MD5

    2650c3bfb6a3911960976c2bd8b46ed0

  • SHA1

    30334f6f66ea9ead0f51124f12329fb543c058bc

  • SHA256

    d354a9694cf18ff7da16c078045436891ef3c5781c8a6dd83f395dfcec169b6f

  • SHA512

    0a08524b4f1d247d138b6bbafb14ac8046934d0b40cca4cbc4ef5ed19d84e16327654c5dfdcaed2448c332d5f14e78d9e221333f537e543bfa8bb8ca9fcb21af

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2650c3bfb6a3911960976c2bd8b46ed0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\AdobeNH\xoptisys.exe
      C:\AdobeNH\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeNH\xoptisys.exe
    Filesize

    4.0MB

    MD5

    b4a35830f001f7430831c0b599a50ef1

    SHA1

    58c5aa78c286fae6d50785e025b47b808f2f74e2

    SHA256

    1b25603644006075d20caa538975da3ae6b4eec6fc597b14d8c80d202af91d12

    SHA512

    9071ff0b23a45274074f6cb8b3b52a0444acd141914ebc03dfd7ae16bb4beb3d8df1da0a742383a39b141e6a53c904e9c183e0a40fdce7fa25f1d8a8376bd1e3

    Download Submit

  • C:\LabZC8\boddevloc.exe
    Filesize

    4.0MB

    MD5

    a515f96f4a6388662d03f84fec3bde88

    SHA1

    b7c62f38e0c9a6dd892228a5c7bf849bf679a8cb

    SHA256

    8392eb88460f8a871536121ef27a16409612945d50c0de93dfb04a8a11c8df96

    SHA512

    1683ebddca896603ccf60c042e6832cde0dde3530f96964dc9e2cfcbe311520478befe6c0d586bf0d5cf82a07690c4f1d2fb088619884e635900d801c35b16f3

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    7fd081989d700a62a6eb2dd1256652e1

    SHA1

    9efd179e8c01c82f71ee1d184326db9389425a96

    SHA256

    113a2fb570d3307d657be2dc3de400aacc974ae7a64e88fbce032bafc6132e36

    SHA512

    4886d2eab8cfe38c42db95bc9c8c8c51ad199068160bd301e47b4abb654013a08125b08318d2be375b076d0314565bc7267ab5733967976f46cb36b2fa96f1fb

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    09f0b27d28e853cfaea347cdfbf63d06

    SHA1

    0e983b11786e6a7b1998e2304dbc5591adbe6f17

    SHA256

    0ca7c58dd74181dcaae89dd017a9cef85e270bc840fe35369327e3a661eb6ed3

    SHA512

    690a4119bb3969fc8c980b92f5964798c146bb99b636855568a6478d3031dc07f3a224265356f44cacecdda9c4774db2a965de0b92552c3f7672404c1f77343d

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
    Filesize

    4.0MB

    MD5

    6ab4e7d1e9d145ce1ea392b74af12063

    SHA1

    9eed1b871a83dcc20a7858a6dc539e7e63cf57e8

    SHA256

    a3ded7eb746bd5fc549ff9ae2c1a4561844240cfe66254bcad48ac858e3289d7

    SHA512

    2bdba00d2fa3b291728a4f09792f16e6aeade43f5e8ed1357055ac8098f7a5d288a49b3e614f9669f36287b52e7c05c9bbfccfdbaadb4a366513237273c2bab8

    Download Submit