b1b55834d1e9ce9fa3974c4855d23957915a2ef58582f976393d85c770b0caae

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f748389f0698788c459b1446e3467ca0N.exe
Size

2.6MB
MD5

f748389f0698788c459b1446e3467ca0
SHA1

252abafd614803865a53d2e2db4713da3de86795
SHA256

b1b55834d1e9ce9fa3974c4855d23957915a2ef58582f976393d85c770b0caae
SHA512

c7c7d991f5a4b86ce8a0a76df0b0ede4ad8c694e89d3f1ba129f14223d35255dff5fc996022d46969d5d4d8731c8f7cd0c1dcf06691454d0ad7b03fac9f09930
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp2b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	f748389f0698788c459b1446e3467ca0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3280	ecdevdob.exe
4104	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUK\\xoptisys.exe"	f748389f0698788c459b1446e3467ca0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR1\\bodxloc.exe"	f748389f0698788c459b1446e3467ca0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f748389f0698788c459b1446e3467ca0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	f748389f0698788c459b1446e3467ca0N.exe
864	f748389f0698788c459b1446e3467ca0N.exe
864	f748389f0698788c459b1446e3467ca0N.exe
864	f748389f0698788c459b1446e3467ca0N.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe
3280	ecdevdob.exe
3280	ecdevdob.exe
4104	xoptisys.exe
4104	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3280	864	f748389f0698788c459b1446e3467ca0N.exe	89
PID 864 wrote to memory of 3280	864	f748389f0698788c459b1446e3467ca0N.exe	89
PID 864 wrote to memory of 3280	864	f748389f0698788c459b1446e3467ca0N.exe	89
PID 864 wrote to memory of 4104	864	f748389f0698788c459b1446e3467ca0N.exe	90
PID 864 wrote to memory of 4104	864	f748389f0698788c459b1446e3467ca0N.exe	90
PID 864 wrote to memory of 4104	864	f748389f0698788c459b1446e3467ca0N.exe	90

C:\Users\Admin\AppData\Local\Temp\f748389f0698788c459b1446e3467ca0N.exe
"C:\Users\Admin\AppData\Local\Temp\f748389f0698788c459b1446e3467ca0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\UserDotUK\xoptisys.exe
  C:\UserDotUK\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotUK\xoptisys.exe

Filesize
2.6MB

MD5
3b4b940a6060fcf7cddc5f3022497f80

SHA1
92f71933549c9d4e23bab1cc307af8136c7505de

SHA256
0321680de01d143c2c775c39cfacd032df0f580336c65e2f51f174db35d3d6ff

SHA512
60b686582610f7998e3ba246f5bf0c40a092cec32d249f9ce3b888e5581bcfe4607da01f437aff7f9a05a59a7958ab2f541bcad919fb4453c72d75487360eab5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6d1cff675db1b76e26080a27d196a27d

SHA1
8e0b82e8c5e64c0f0d12247a08e191a8f43fef44

SHA256
0570d9c8f07968fafcc86fa1350c8c15f316d7a9a61879956be236fc75bf2624

SHA512
36e9be5cedb83771f322dc0a458325e3f4337f321508c8789513d12aa6af2b8e696f9bb2aaf2c74108be296e51163a72b137df2ea60e1fe5351dd5e0be66307d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
371d2731baa9176ce83751d3d7c407f5

SHA1
2ce89d8229f3487449cdf28abc2a1087d88fccce

SHA256
2ee7f2fa73a95b9034592652e406cd987d9cb2d1936f02a2a94ddf66ac0a8144

SHA512
42e0c019453396720fc3640d094234bfead106b2995eeacc90965f3b35dd28708b50f8efa581c9d4929bfdc19d08252b213a2d2f3e91b7d82187292b948ae515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
ca34783ed9e522fd390475d47c474bdb

SHA1
81cc264a85891d5539eff35b0893ffda591cb1db

SHA256
b9fe907781344b68780e097cd2f413c3108056561d03f30aa0013d641b900524

SHA512
00dc59fbcdb8b8f681afbe59bc94a66af927e0e2bff0f8ba860785498f4a11e55e8b7d6451e61071af3ed638bf3f92d2700bb0eb0cd46d35e74b804fec4ef16e

Download Submit
C:\VidR1\bodxloc.exe

Filesize
334KB

MD5
e026367772eed2e6101c38c003f4a457

SHA1
3f711b0ead28bcc1edb505b9b3183caec803942a

SHA256
0f3c01dd71ed6e098db77db6375cf1a4ed64bf42c0179ea8950d30a64f1af74f

SHA512
123044e42bdb8d0c859ee26199eb4c83acad9207a23f114ae5cb20ebd069971de87dd73205b58a08c61127087ecb109e10467aa66f54d9661c0ee95a9cc2c200

Download Submit
C:\VidR1\bodxloc.exe

Filesize
1.8MB

MD5
1e3c50d836d60b459ad13fd18e140662

SHA1
d0f1c0c39b22d4d6624ce0cc47c3f329135b188c

SHA256
722d152876d82abf17ddb8bcd4b8e2d8042863fb0deffdb89485a088c5fe6b3f

SHA512
55bd484281ec87579f358425951aedc2f993c5e1d2a5f5bcd44a18543e241e4131ed21733cdc6a7705cafa7636a6b9656d6ed3aaf2e753d6e56c16583b9bcab3

Download Submit