52c4c8407732887443c22ac5384f9c0449466f0dfa85f3089c326c3cfc1cb38b

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5df9419512358808c38e59bcebf0f680N.exe
Size

2.6MB
MD5

5df9419512358808c38e59bcebf0f680
SHA1

26e87b3c46f4dcd656d0a1ed7659dd3819f7ceb0
SHA256

52c4c8407732887443c22ac5384f9c0449466f0dfa85f3089c326c3cfc1cb38b
SHA512

a9f70a3215a514fd7f1e2105ed5c771b5ba6e41ed18770f59a6eb208bfa0737805d5236027f1d21d7399c6ca436cdc270756c11b2e31f943eb1d0f40d76594ae
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	5df9419512358808c38e59bcebf0f680N.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	ecabod.exe
456	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPC\\xoptiloc.exe"	5df9419512358808c38e59bcebf0f680N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHN\\dobdevloc.exe"	5df9419512358808c38e59bcebf0f680N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df9419512358808c38e59bcebf0f680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	5df9419512358808c38e59bcebf0f680N.exe
2784	5df9419512358808c38e59bcebf0f680N.exe
2784	5df9419512358808c38e59bcebf0f680N.exe
2784	5df9419512358808c38e59bcebf0f680N.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe
5068	ecabod.exe
5068	ecabod.exe
456	xoptiloc.exe
456	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 5068	2784	5df9419512358808c38e59bcebf0f680N.exe	88
PID 2784 wrote to memory of 5068	2784	5df9419512358808c38e59bcebf0f680N.exe	88
PID 2784 wrote to memory of 5068	2784	5df9419512358808c38e59bcebf0f680N.exe	88
PID 2784 wrote to memory of 456	2784	5df9419512358808c38e59bcebf0f680N.exe	89
PID 2784 wrote to memory of 456	2784	5df9419512358808c38e59bcebf0f680N.exe	89
PID 2784 wrote to memory of 456	2784	5df9419512358808c38e59bcebf0f680N.exe	89

C:\Users\Admin\AppData\Local\Temp\5df9419512358808c38e59bcebf0f680N.exe
"C:\Users\Admin\AppData\Local\Temp\5df9419512358808c38e59bcebf0f680N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\FilesPC\xoptiloc.exe
  C:\FilesPC\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPC\xoptiloc.exe

Filesize
427KB

MD5
126340002ebef2d323ad796b35b6724d

SHA1
d46d000168fd87a33dd603ceda872a865a89e83d

SHA256
4ffb852413076cfaf2a1f8aed70abf27a908b9d03e7f818e847eb36a9ea61198

SHA512
480fd8f219690d1c6abc46463f618c4628ebac0e09518b8e8a28bd8afb6e0c1c56a92b8b3ed079f11cb420b151a6e42538c0d2b27e5a1c2a7834a3f42817dc5e

Download Submit
C:\FilesPC\xoptiloc.exe

Filesize
2.6MB

MD5
389b48722466014a38e3d9be896e3745

SHA1
95d8bd23bbc9c0cd778dfbf6d0505cddf00591b5

SHA256
8a0d4468a2d1ebef5c5689be23d8fcb83aebf97210becf2e2adcac1fa646f376

SHA512
ac978a876b7deb2a4f81724eb7114b7e00f096a0cc2b70db47e3b407bff7137d2bbcda52ad812a75028c3c17c1ea9096a6dc8469dbc892d52e8d2d63a9a073b2

Download Submit
C:\MintHN\dobdevloc.exe

Filesize
2.6MB

MD5
3aa081f9db601337b001edde151d5fde

SHA1
2db91819cea99d7bc358035e227e365b3ae71b96

SHA256
95a3cb98880e2903decac358d682e39a014ac9e078c6cdf54133d8914f8c151a

SHA512
86456ecb8c2153ecf58e00e466a8c35ff45dde34ed1af64431a7691f0419c14d4503b6a0a2394f174f26fc1c8b99b77c5493b184c95d66ec018aa56fe63d7dce

Download Submit
C:\MintHN\dobdevloc.exe

Filesize
499KB

MD5
35c5ede8ce00d4c57ff0a7aa85127611

SHA1
f6b4b684b277a4255fbe56c5a5e2d114c8efc051

SHA256
9c818f5d6819875e6365b58703a5df02f6137dceb916e6cabdc95ab3754639e9

SHA512
49168c94861bb72cff5c9368a71b82096c143ee3f31ef40c3bbf77854669f68272915b37378e2027dfffd460fc9758335c9e823086f28c273c1a67ce8330f02e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
f5ae656b715120e29e060b180704b14a

SHA1
4dd5da43a1b6f658b32b936c1a8c1575c32536ad

SHA256
7ec704424e02ff23eb8db4e4a1609a64aff3d4e7bec55a286e0fc06d7abe7033

SHA512
0a55eb45c729ea02348777dd40b20f1fd3550549f98c8a405cc171285ae9c1cdf70a0ae9da807f30be10c4a7cf19648a872d6a2d589c449821da559d2d400ba7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
978355557fc613e4a8136326aca012fb

SHA1
31a49374c5567d2a798d625d286890d2b1af3c05

SHA256
9f966ba75bd04081a2a89a0f6d646df4b295995d75137ec21faae58cacb6ac9b

SHA512
867c0d8797f90c5dd6b45d2c1198dd9731e9ccc2b925a7e0d30b4af6a4ba51e6002ac9cbe8893ca649709882900f4fb41a00d35a00d5a6877c1e620dae11a283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
3f478b3be39d48d4335bbee8c09de4f1

SHA1
abe85a8ca1b1160b1bd799a79e0bb0bd5a35fef7

SHA256
663ee8e5e87fc1242cc66ad7d93655400526911fd99e93abce9ea0ef0463ca28

SHA512
ca664bd1068e22ac301b8ceba9901ece04d5b7f0e44abe685df97f828bb2b72d38202e58c1aa270df1646fecda8d89eec2115e7a9bdb4e1a30078b5e1b9c64c5

Download Submit