0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

130a84e39f527ccc098fe180888fffe0N.exe
Size

3.0MB
MD5

130a84e39f527ccc098fe180888fffe0
SHA1

841d830070b179e4b64c1f4fd11a9cc2e98b5930
SHA256

0488cb13a4a71ab9c0313af80fd51886b618a1cfb8baeb0fe74f0bc55f3223c7
SHA512

09ad3ac741ca410068231380d21932f016d0df6369f994f9d27fa17b4be4fc796acf2ae73368a530a86f1945180ef2203c1ac7184f6752032b06fe44eb48c131
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNX:sxX7QnxrloE5dpUpebVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	130a84e39f527ccc098fe180888fffe0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3496	ecabod.exe
2704	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK2\\xoptiloc.exe"	130a84e39f527ccc098fe180888fffe0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXN\\optidevec.exe"	130a84e39f527ccc098fe180888fffe0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130a84e39f527ccc098fe180888fffe0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
100	130a84e39f527ccc098fe180888fffe0N.exe
100	130a84e39f527ccc098fe180888fffe0N.exe
100	130a84e39f527ccc098fe180888fffe0N.exe
100	130a84e39f527ccc098fe180888fffe0N.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe
3496	ecabod.exe
3496	ecabod.exe
2704	xoptiloc.exe
2704	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 3496	100	130a84e39f527ccc098fe180888fffe0N.exe	87
PID 100 wrote to memory of 3496	100	130a84e39f527ccc098fe180888fffe0N.exe	87
PID 100 wrote to memory of 3496	100	130a84e39f527ccc098fe180888fffe0N.exe	87
PID 100 wrote to memory of 2704	100	130a84e39f527ccc098fe180888fffe0N.exe	90
PID 100 wrote to memory of 2704	100	130a84e39f527ccc098fe180888fffe0N.exe	90
PID 100 wrote to memory of 2704	100	130a84e39f527ccc098fe180888fffe0N.exe	90

C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe
"C:\Users\Admin\AppData\Local\Temp\130a84e39f527ccc098fe180888fffe0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\FilesK2\xoptiloc.exe
  C:\FilesK2\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesK2\xoptiloc.exe

Filesize
3.0MB

MD5
7ffefeaf78f1eb5d91c80cc70351dc69

SHA1
01cf94551535758ed62eb223d311d84d85017553

SHA256
6d5d053dd2b4702a485fa63d9d22dc8cfc482a9c64a819be81f7b414067e87df

SHA512
7ddcedba7f9a3f428f80224bdd00c1a3a6f1cf5716a07bc5ec39af47e7fe353695b1a2d94c70578c72fb5af509fb0e40abfc52f6b7b8e829492c9c7591f564d5

Download Submit
C:\MintXN\optidevec.exe

Filesize
3.0MB

MD5
b159b7c5aaf98c20b4c22b0d9b492349

SHA1
2adb78049ba2bb034bff84199483b769a6df8a29

SHA256
46bb00980a085a5f8818c8e41ac3f9a243fb3d8b1b8ec26ebe416be6dd0d239c

SHA512
2c6f14d58fc7aa02b36902b7e89e858347f7debf61a1fa500880d7a1918ea587ea1d8a921fe4157f1aabf0afc358cce43498d19e91855f8cdaea5b5bea2ecd92

Download Submit
C:\MintXN\optidevec.exe

Filesize
3.0MB

MD5
e5da63f31b43af243630b36125d7f42f

SHA1
aa1fb17714249f7da14b63c40014946dad1b26b6

SHA256
f94a0a79e027639ff02efb8f33449d717bdf3d0a9033632a003fd3fc0497c19c

SHA512
a3096a756728cb54e608669e6832101ec165b82a6b12f43f297efc14e1352f7e41a73049a93d24acb7c65e9231beb35e9396df3a6b542f7dd92abf4a266fefdd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
78f17fddb1d06f09b38c8c323737fa88

SHA1
cde192f3152a095baaf4750bae8ae92028871ac2

SHA256
35b407ff55e7efaec3563f8b0b7fc9a60c815e47d49c931603e484178de8a7de

SHA512
cb00ca88582f30d23ffebdf3da45af0bd58dff8bfaaaa34734c60525fb4baa58a19db2357643c1e38795aafb3865bb54322407a4e4426bbc6b9b910f784dcce7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b50ba17817222d8307cc922285055e35

SHA1
11861a25766269c6e269af8a2e8c017fc6d6c814

SHA256
62136b11f5102a2e13eb7d4ef5a767fb74b32b5871cbbaeccf3d8a7d1561292c

SHA512
c3cb7c27b7e429317282b3b6a74d778ccef2195157366108d46b7ecf2b2807e4c1e9c148d37d696f9ffab3d7b09c638d464267a1999fc36fe2ff59c6c02e772b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.0MB

MD5
06d83eb112ff995c5ec937b81e0d9303

SHA1
499d77478077600797d4a98a6da1516578aa21ec

SHA256
afdeca7b68182437839ca2d236d92490f3d2ecc9a64753f9c86d2e3ac5f6647e

SHA512
4f2be7b263f07bbc565ceb5f53d2482e961c4e54eadca248eba84087f3415de5482f75f6307ed2c3d030d4eee8b3ceb70b5c89a257f60f0e6d46f9fb3cf429a6

Download Submit