848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
Size

2.6MB
MD5

4be210cc60d7720d099937ebaf0fc39f
SHA1

62149d4334942bbfdbedc0a4ab5470f27e53df9a
SHA256

848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82
SHA512

aec41eef005891ce6e590685cf335285e05248799f54e83a4c749e10d107b55f25b571ddab5037fe4104fca2686407ee3052749241769e69863f12e5eae80bcc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe

Executes dropped EXE 2 IoCs

pid	Process
3692	ecxbod.exe
2232	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHQ\\xoptisys.exe"	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW3\\optidevloc.exe"	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe
3692	ecxbod.exe
3692	ecxbod.exe
2232	xoptisys.exe
2232	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 3692	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	84
PID 4708 wrote to memory of 3692	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	84
PID 4708 wrote to memory of 3692	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	84
PID 4708 wrote to memory of 2232	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	85
PID 4708 wrote to memory of 2232	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	85
PID 4708 wrote to memory of 2232	4708	848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe	85

C:\Users\Admin\AppData\Local\Temp\848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe
"C:\Users\Admin\AppData\Local\Temp\848d34a49dcc5993ab67ca0902170448706bc1b050313ecf1aa92ba75202cc82.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\SysDrvHQ\xoptisys.exe
  C:\SysDrvHQ\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZW3\optidevloc.exe

Filesize
2.4MB

MD5
eff2df012ead37dcb95899811a02d7af

SHA1
41c338442c4cff70f03c01cc0d3df94bd7ba9f34

SHA256
00eb3aa6a3f5819353f748508d09672f54c0bee5d98bf7186dc855b7449fc0be

SHA512
773edaf327afb900e739db7fedd8d48737eeeaaafb8cc691392e57a3d3e6f594f29d78e549ad0572e35eeada65a3843733117fa1c2c799dbc5df9e775aeb8a80

Download Submit
C:\LabZW3\optidevloc.exe

Filesize
2.6MB

MD5
a1cb02fc9b7ff35fc22e16f0460e3cb9

SHA1
97c64ae73219c7d99dc0914552e8ff36eb6834d6

SHA256
8ae620055017eb69420a6e3ff006cc35dda705ae51ba6f517def850d3b1c7e47

SHA512
ec9424e7f67e9dd121bd975819ef34253a972b7ac6bf0af69a8d5987bdf7bc7a7b488916eda618eb97f4ba46b8917d88169fcbf5d557b61d69cec660a9353d41

Download Submit
C:\SysDrvHQ\xoptisys.exe

Filesize
2.6MB

MD5
d4fc82c24c5b636d5821d039894a658a

SHA1
77ebb09142280e4eacb9c2a0bf9f9a4909c55301

SHA256
e9079a4d151c4553162806a864892a3ccc99f0fcc3cd78c3bb4f704d9bc34934

SHA512
c392f23bdc4a94b57fc9cb6a2f0805317ef5d12d7049afc29c53a66bd7890da7ec37574db5ed270c6ab6496f55af876d7d271ba950b7a317afe3dbae28b4fa04

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
86951a4a62c51641f8fa2837d9d84ec9

SHA1
70045c3e33656556d18d9be09e30160e82e89ada

SHA256
2c9d39a5cac357fae70f5fda6bdda7447bc3d65b87763707309179091ce6e41b

SHA512
ed68f84e714099a4e4321cbb2f6b4a26e2b9de004fc46bcddaaa05ffafdcadd151b3b867942263157bd75c02616d048c8b77c7fbed55b20609ee5216a89a058b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
63d72f970de6b94714847bf277317c93

SHA1
0d203ac041901e8ca4c67162f8d032789d523148

SHA256
d1ebb8c0b565ff9ec5b01898abbe3406dd39d5c0c2f5a256d2cfe231c5817b25

SHA512
e4c14d2c8d5312c2d71a44dfc952604e2f6fe71336872b215be42f4729d3a44de871de0bbad7e0668ad4fe5108437a8557439fc39c038a486ce395336bc6dc9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
8e01c10a8b2dbdbd4f5519e06de89aca

SHA1
48a4cab7b5540702bd2d898c8be4ee968267d60c

SHA256
962be01bd7053deac551a815e1fba430b6375ac291b54f8b8a36e4ac32820e8a

SHA512
9f76431b11708c68f1ea26fa59db956fc9948dedaf4e8995af02b5c0012337273814be353da452b3775146feb8223452bb3f3fab0e98b849f9c3653fb6a069f2

Download Submit