Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
db00276d6303371ff33d01daca3daf00N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
db00276d6303371ff33d01daca3daf00N.exe
Resource
win10v2004-20240802-en
General
-
Target
db00276d6303371ff33d01daca3daf00N.exe
-
Size
2.6MB
-
MD5
db00276d6303371ff33d01daca3daf00
-
SHA1
04f3de19e7f96461bc5af303908cd0f7af4103bd
-
SHA256
bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c
-
SHA512
e90ceaf4b44e82c88b07ce420f6135e72bc70e95772cdeee7262e7e9f75d7fdef3fe253117373e9c3a1e24a1ebd4a726363f437f74c8c2d552bbcd8f156691a1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpib
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe db00276d6303371ff33d01daca3daf00N.exe -
Executes dropped EXE 2 IoCs
pid Process 2240 ecaopti.exe 1972 xoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1Y\\xoptiloc.exe" db00276d6303371ff33d01daca3daf00N.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIW\\optidevec.exe" db00276d6303371ff33d01daca3daf00N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db00276d6303371ff33d01daca3daf00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3980 db00276d6303371ff33d01daca3daf00N.exe 3980 db00276d6303371ff33d01daca3daf00N.exe 3980 db00276d6303371ff33d01daca3daf00N.exe 3980 db00276d6303371ff33d01daca3daf00N.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe 2240 ecaopti.exe 2240 ecaopti.exe 1972 xoptiloc.exe 1972 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3980 wrote to memory of 2240 3980 db00276d6303371ff33d01daca3daf00N.exe 88 PID 3980 wrote to memory of 2240 3980 db00276d6303371ff33d01daca3daf00N.exe 88 PID 3980 wrote to memory of 2240 3980 db00276d6303371ff33d01daca3daf00N.exe 88 PID 3980 wrote to memory of 1972 3980 db00276d6303371ff33d01daca3daf00N.exe 91 PID 3980 wrote to memory of 1972 3980 db00276d6303371ff33d01daca3daf00N.exe 91 PID 3980 wrote to memory of 1972 3980 db00276d6303371ff33d01daca3daf00N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe"C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Intelproc1Y\xoptiloc.exeC:\Intelproc1Y\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD593cb38b58ea413647581849801894323
SHA1dea1a9409c1e2e755861808d1347f168f25b8e20
SHA25645dd0b9b5e8f85b667d9419db88a130e7d298601738afc62b97d7474a8443968
SHA512b63ea2b5cef7cf1862c053b7a9dcd93654c29127655bb05d07bbcfe6a5e0bc6d685523de6a8e7a87ab9e6cf5ad9f184cf4a9ab76dd3ff5c17a640c733c3bd501
-
Filesize
256KB
MD5b3ab996ff59c6aea5e1a2915a9e8aeb7
SHA1b5c7aaef814b7982f52b7ce36668ed4dcb82b934
SHA256f5b37472689368d417d48670c8fb456672adf63232490643311ce72427783ee1
SHA5123449d47f16c312162f606b8496898b4f7a3587ce5c15ffb6ef1ffcc5aa2d024e2289997c3e4f6c8c1507c5719b52e6cd4c81ec2caac86719c9d302f99d65aa04
-
Filesize
189KB
MD543ad7e251790c7e47b6823bd030db779
SHA1ebcc886fc2ff87e2f3da6024e55bb752bfb09198
SHA256e9bc73029b679eaca4a029fb2c3c07d776caed4e1fda9d829fb87bf5bfd8a6df
SHA5122ca78f61949de2433d291e1aa9fb21aabaa662297c0c6b1b5116ba8433f1b3d831774b35be789a23752142d5c0d2e915e4001d59ea63ae28344dad61f4c30809
-
Filesize
207B
MD5ce86486e35d917b939b257a0440484a9
SHA132482029b1c86a89d351ec2236c8e6d91f92690a
SHA2567a529445cdde18c1263bf9a03a0046a6481f958c96f3d167c0d32472e55581a7
SHA512dfca6de49e2b65dc869245234cd2affca439becd240f2f10c8442ebc9a7b1888ed92d562e53c6c25855c7f190c0e68cea150b8020ec54ade73e0aee337d46cc7
-
Filesize
175B
MD5d40bb084383d3d37ba4a634418e3bd1d
SHA14399dabcb68c0bfb84cd40d70c1d8ebe8896d332
SHA2560e0bb1efb5162d58d997545e1b512f728b85b6f0c3e393a04e75d31dc7d6f5bc
SHA5129fe15b65f69c1ea190e6ccf650866fdbde44eda3b6ae64379c3ee00d4e993cc1174e03cd9f590ebcd17ffbc055bd651923c529724f05400f617455b8535171d2
-
Filesize
2.6MB
MD52d3479933b19db1f94dee459fe732b69
SHA1821bd5e21ec4f20de5fc755419a9abfb7221123e
SHA2560f5b841ae313acbd1e53b9b7e25ebb14b3116fad867ac1cb56e9b2cbd4e07a95
SHA5121dd8452717d3d97ef163ff5f588b160ee067a064b0082ac1c2318860b5e6b95e3296513f947e7ae21820aa06196d62abda991634e758250b436833799b78acaf