3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Size

3.2MB
MD5

6e2757a6f53d14a8b541f8cfaf064a50
SHA1

22d265bf15497a428150eb5c7948bc43cef14cc0
SHA256

3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045
SHA512

564c7440fd0441fe6eb5e62cecf6228a8305d65e13015ceb558d48d4857f5443b529cb3452b07abae67177f95f2e62f7436a6a0704dcf4d716ef4371ad4909aa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpVbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe

Executes dropped EXE 2 IoCs

pid	Process
1468	ecadob.exe
4692	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZJ\\xoptisys.exe"	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEX\\optidevloc.exe"	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe
1468	ecadob.exe
1468	ecadob.exe
4692	xoptisys.exe
4692	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1468	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	90
PID 1908 wrote to memory of 1468	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	90
PID 1908 wrote to memory of 1468	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	90
PID 1908 wrote to memory of 4692	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	91
PID 1908 wrote to memory of 4692	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	91
PID 1908 wrote to memory of 4692	1908	3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe	91

C:\Users\Admin\AppData\Local\Temp\3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe
"C:\Users\Admin\AppData\Local\Temp\3432b3bb4b9778d996a8bf973ffae8cf7dc06baf4e338df021be5bd7a502e045.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\FilesZJ\xoptisys.exe
  C:\FilesZJ\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesZJ\xoptisys.exe

Filesize
173KB

MD5
3f393ad839310e4e0694909217dff92a

SHA1
7779105635a4cc1bc5c52c818e952a3a62cca40c

SHA256
eadfd7ef38e27a05da97055da0e12883c08fa86ab8e39c57bb8eea3927ecbe8e

SHA512
35c2aad95f8f8557790d95141f61284cc10ff0304cfa2c99b2cc4ee713ea488d6c3b4c6ebaea5c551e6b493473be5dd64aec690b2169895a2d913e310c4f8359

Download Submit
C:\FilesZJ\xoptisys.exe

Filesize
3.2MB

MD5
acc23dfffb2f4fa58a0f5ef3cf67e452

SHA1
4f3afc59e880de4001b5d7a6503cf1f06995badd

SHA256
a4877b17d2ccc8e4502d3d49de464f1a34bc547fa841b71b63cfd13c6eb21dd3

SHA512
18a4b5d6b907b260b9da796166c8849cf2b05daa156449cbdbd5ff37723eabc766d53bb1d3ebb0b2670117410500b81dfe32e01196a1f49a8c0e1b469bd4331c

Download Submit
C:\GalaxEX\optidevloc.exe

Filesize
317KB

MD5
6645579365c158f69a1b016ccb39a05f

SHA1
a6d6f5d2fde234a7a14b840e9c91869ae25c65fd

SHA256
09b838dc870f7e024537e402c61bd6a025cbef07be99f6399a52377f9c608764

SHA512
e01cac528edda3e0b94043b4e139e629692f49de8953c32e874db0a0d3b1bbb2ff6fac38784f5423f8b1c3027041365fe874529b3c36206312059f005a6dfcef

Download Submit
C:\GalaxEX\optidevloc.exe

Filesize
3.2MB

MD5
61b4f1052271e0dd010c2e155754dfa0

SHA1
95693ab7a400f5b2779749cfc5b1402eae2c0786

SHA256
0d367a4bba595758479176e860cbabb77eff878db7463dabd3b28325b8d44c67

SHA512
5c8b0337ed1140acf4f76c4d53459faf744779a47da141dab6b8533c826083a1e7610f29ff288f0aba0710b000802e3dd165d40fdb54f528b8a9f9ca63c4c8ad

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
0a0bf6a4036a448d4227fe38c7d2a7ab

SHA1
e07493b81886e22f18a44e874c860b687f87726a

SHA256
14ff64f5097d82c4301c92d3104ac2bbf25c5f64db72f68fa729fb17b546a1cc

SHA512
20c42eccdd49e4aa8fcb56bd358ffe946e19ad71bf3296e92af0fd06d6177deba6e34abdbf70a0246c1fc97ce8410f40ecd6181d2b5c9023faacaa9206dd3369

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
abf51dbdcf36d39d446bcf6b998da44a

SHA1
72408373567724ebce5377bb1ab8decbe6792ba7

SHA256
4e155448e58fab65082eb4c7fd181382bb05774d03ecbfee4fde8d32f5f16b9a

SHA512
6b2d9cc637e1e526d8610deb671621070bc0cfa35e263ddf91aa83cfac8a7886bbe69a796407150b78df13930744bc90d561b61e78b3fd7f4f9f4ba83300c776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.2MB

MD5
439604d0f386a0689dbbbbcc043ad58b

SHA1
4c3a238540f072dc34ed688d8c4d173244231b86

SHA256
74e99a6b5ab706f89bccbde2843e5d71d3850f3d80e5d73105359e96f9123886

SHA512
c68ddffaa4d5468ac1dfe4c9e10d830a0b84419ab1daf1942319bd8cb8a7a8a67dd93f2ee7efcb8a99ecf7cba350fc9b80f477a5b93c0bd558de3eefbd565c4d

Download Submit