Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 05:21

General

  • Target

    63846f0545e6163d027a52bd567bb6d0N.exe

  • Size

    2.6MB

  • MD5

    63846f0545e6163d027a52bd567bb6d0

  • SHA1

    e6946c7f988f31b4efb315246147b007ea3675d6

  • SHA256

    3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d

  • SHA512

    ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2412
    • C:\IntelprocKW\xoptiec.exe
      C:\IntelprocKW\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocKW\xoptiec.exe

    Filesize

    518KB

    MD5

    0b0bb8623cff3cf9d42a3e258d5e8b22

    SHA1

    65f6c1ec2a12c3ee17c62813c965bc82773d4420

    SHA256

    f1fa6ebe8c34e9d270ab7eb0a44e81b470aa6441abc828d6c393dfb9b31e93cf

    SHA512

    325ac3eda0702c09e1915b3972aa72f4962d734c87c201fe6d2195211f0f06451976c62aac4197e412469f485fed639fbac7110c7a6c8015c3384ca0a34bb6eb

  • C:\MintWT\bodaloc.exe

    Filesize

    2.6MB

    MD5

    654707e5debee6d5116ee795097f6a7c

    SHA1

    4a79927ebd7e42bb9b2e80aad7447392311273c9

    SHA256

    702c982a3b9cc7fb53bb7f988e07a6d6d1ad21836f73ef2c447bcacba0852595

    SHA512

    e24ef7f71a6af6394fad68b43ef4f84a8f77da57e6bea577d4640081a78a57c6e3130aebce5d038b066ff04a7d8d8e325b958695ed8b702eea165a47cdbe2a68

  • C:\MintWT\bodaloc.exe

    Filesize

    2.6MB

    MD5

    2d996cbe5867e62c02ac621dc7211977

    SHA1

    ab2ef2e4d4e214e4601463fc47c9aabd0a05e5c0

    SHA256

    070ca0fdd22d03991c2beca3f83e16a76c62036d1c009ba6e4fcb80f2cf89aea

    SHA512

    440b38af5ae4216d84643535458d0eb66b9ab429de37d77ed77ae7597a4399b644a8b9efef73be16af45498bc110a7cc7d6bbd58690186b15107634aa1b09358

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    8a5bbe2e43285960764dce652fdf7add

    SHA1

    259f81adca1c1166a568bb4f3ff78e481fb2f466

    SHA256

    32d26dcc762a33be020a48c2667bcf72dbdd9635fddd6889a59bc78c07d3f7b4

    SHA512

    d064738e816350e6a71e6d23308321de19e9ef567fb015cefe82d1aeab1439ba8f83394a453e3c6b36933b6b4374b5af49f5e87987acc02f2412c024a3e1134e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    7bd8c710c7625a1fb2c3aa4e5f87817c

    SHA1

    e592cabfa50d3eece648215817153f0fcbf0088a

    SHA256

    0f117279932d9a69805c05dac1981421b20d6c9435c3e360458eb7297249d40e

    SHA512

    cf2a889cbff2142c835b41fea42c0855b36c0d9865f23d8722bdb4973f4d00c4d73949cc177706636318256cf4ac03b8ca90f9f7cc40aff76ff439911ef06ccc

  • \IntelprocKW\xoptiec.exe

    Filesize

    2.6MB

    MD5

    1dd4c9ca846b2b582b553fc109216716

    SHA1

    9b4bf2e07f7909718798663a21ebea2f90c5c09e

    SHA256

    89935b52c380e366949d69048aa1a4029320c48847ff2c06044c38ead45847d3

    SHA512

    e862e37d7fa72c0bfb7cb8e2edcbe701360dcce7d4e4dcb869c5b22c16e34e04b73fbe61b968ac209ce6a31e5943d91c6b65302269682100056090bb88005328

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    645dfbfd23cba3d1843a8c624f442437

    SHA1

    b996f71909ced024bb991cedb586f63557475896

    SHA256

    ceaf70cab67dd4de94c4aa8bb7c1c36670bb44858d9e5a7e5aefce55c94c01b3

    SHA512

    63d2fe80520154b2d5c71df794549a2ac560bd05b667fa80ebbf6e8f886cf9d9fdb68475c24ac877b25391a1ba9d0ef5220328bba61d1274dad3b9c37550056b