3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63846f0545e6163d027a52bd567bb6d0N.exe
Size

2.6MB
MD5

63846f0545e6163d027a52bd567bb6d0
SHA1

e6946c7f988f31b4efb315246147b007ea3675d6
SHA256

3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d
SHA512

ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	63846f0545e6163d027a52bd567bb6d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2412	ecadob.exe
2836	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	63846f0545e6163d027a52bd567bb6d0N.exe
1728	63846f0545e6163d027a52bd567bb6d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKW\\xoptiec.exe"	63846f0545e6163d027a52bd567bb6d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWT\\bodaloc.exe"	63846f0545e6163d027a52bd567bb6d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63846f0545e6163d027a52bd567bb6d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	63846f0545e6163d027a52bd567bb6d0N.exe
1728	63846f0545e6163d027a52bd567bb6d0N.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe
2412	ecadob.exe
2836	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2412	1728	63846f0545e6163d027a52bd567bb6d0N.exe	30
PID 1728 wrote to memory of 2412	1728	63846f0545e6163d027a52bd567bb6d0N.exe	30
PID 1728 wrote to memory of 2412	1728	63846f0545e6163d027a52bd567bb6d0N.exe	30
PID 1728 wrote to memory of 2412	1728	63846f0545e6163d027a52bd567bb6d0N.exe	30
PID 1728 wrote to memory of 2836	1728	63846f0545e6163d027a52bd567bb6d0N.exe	31
PID 1728 wrote to memory of 2836	1728	63846f0545e6163d027a52bd567bb6d0N.exe	31
PID 1728 wrote to memory of 2836	1728	63846f0545e6163d027a52bd567bb6d0N.exe	31
PID 1728 wrote to memory of 2836	1728	63846f0545e6163d027a52bd567bb6d0N.exe	31

C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\IntelprocKW\xoptiec.exe
  C:\IntelprocKW\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKW\xoptiec.exe

Filesize
518KB

MD5
0b0bb8623cff3cf9d42a3e258d5e8b22

SHA1
65f6c1ec2a12c3ee17c62813c965bc82773d4420

SHA256
f1fa6ebe8c34e9d270ab7eb0a44e81b470aa6441abc828d6c393dfb9b31e93cf

SHA512
325ac3eda0702c09e1915b3972aa72f4962d734c87c201fe6d2195211f0f06451976c62aac4197e412469f485fed639fbac7110c7a6c8015c3384ca0a34bb6eb

Download Submit
C:\MintWT\bodaloc.exe

Filesize
2.6MB

MD5
654707e5debee6d5116ee795097f6a7c

SHA1
4a79927ebd7e42bb9b2e80aad7447392311273c9

SHA256
702c982a3b9cc7fb53bb7f988e07a6d6d1ad21836f73ef2c447bcacba0852595

SHA512
e24ef7f71a6af6394fad68b43ef4f84a8f77da57e6bea577d4640081a78a57c6e3130aebce5d038b066ff04a7d8d8e325b958695ed8b702eea165a47cdbe2a68

Download Submit
C:\MintWT\bodaloc.exe

Filesize
2.6MB

MD5
2d996cbe5867e62c02ac621dc7211977

SHA1
ab2ef2e4d4e214e4601463fc47c9aabd0a05e5c0

SHA256
070ca0fdd22d03991c2beca3f83e16a76c62036d1c009ba6e4fcb80f2cf89aea

SHA512
440b38af5ae4216d84643535458d0eb66b9ab429de37d77ed77ae7597a4399b644a8b9efef73be16af45498bc110a7cc7d6bbd58690186b15107634aa1b09358

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
8a5bbe2e43285960764dce652fdf7add

SHA1
259f81adca1c1166a568bb4f3ff78e481fb2f466

SHA256
32d26dcc762a33be020a48c2667bcf72dbdd9635fddd6889a59bc78c07d3f7b4

SHA512
d064738e816350e6a71e6d23308321de19e9ef567fb015cefe82d1aeab1439ba8f83394a453e3c6b36933b6b4374b5af49f5e87987acc02f2412c024a3e1134e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
7bd8c710c7625a1fb2c3aa4e5f87817c

SHA1
e592cabfa50d3eece648215817153f0fcbf0088a

SHA256
0f117279932d9a69805c05dac1981421b20d6c9435c3e360458eb7297249d40e

SHA512
cf2a889cbff2142c835b41fea42c0855b36c0d9865f23d8722bdb4973f4d00c4d73949cc177706636318256cf4ac03b8ca90f9f7cc40aff76ff439911ef06ccc

Download Submit
\IntelprocKW\xoptiec.exe

Filesize
2.6MB

MD5
1dd4c9ca846b2b582b553fc109216716

SHA1
9b4bf2e07f7909718798663a21ebea2f90c5c09e

SHA256
89935b52c380e366949d69048aa1a4029320c48847ff2c06044c38ead45847d3

SHA512
e862e37d7fa72c0bfb7cb8e2edcbe701360dcce7d4e4dcb869c5b22c16e34e04b73fbe61b968ac209ce6a31e5943d91c6b65302269682100056090bb88005328

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
645dfbfd23cba3d1843a8c624f442437

SHA1
b996f71909ced024bb991cedb586f63557475896

SHA256
ceaf70cab67dd4de94c4aa8bb7c1c36670bb44858d9e5a7e5aefce55c94c01b3

SHA512
63d2fe80520154b2d5c71df794549a2ac560bd05b667fa80ebbf6e8f886cf9d9fdb68475c24ac877b25391a1ba9d0ef5220328bba61d1274dad3b9c37550056b

Download Submit