b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
Size

2.6MB
MD5

ff52a12d312409b26607ec76a01081e0
SHA1

408a823b6ab3e46c8a334df4038a78b5fbde0ea6
SHA256

b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42
SHA512

47984476fd438e66f71e7ed7d93870b6f49e5997e403839fc180b60fbc6c4af1d1d5aea144bbda25b3112ed398df139eda882388c50e2073e584c4a0ce8d5429
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	ecxbod.exe
2584	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR3\\xoptiec.exe"	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB90\\optidevsys.exe"	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe
2068	ecxbod.exe
2584	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2068	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	30
PID 2540 wrote to memory of 2068	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	30
PID 2540 wrote to memory of 2068	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	30
PID 2540 wrote to memory of 2068	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	30
PID 2540 wrote to memory of 2584	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	31
PID 2540 wrote to memory of 2584	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	31
PID 2540 wrote to memory of 2584	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	31
PID 2540 wrote to memory of 2584	2540	b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe	31

C:\Users\Admin\AppData\Local\Temp\b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f2e4b5694f54d4f1d5c99120782300d7a2295d206cf7ce6b19a0c96b86ad42N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\IntelprocR3\xoptiec.exe
  C:\IntelprocR3\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocR3\xoptiec.exe

Filesize
2.6MB

MD5
2b89d183faa2e3054b8b5dc3c3c81283

SHA1
abf6de9e041f9ae0e11d495a2f6328e8c388c7f2

SHA256
053d9826dbaf46e01cded57c7fdf2ab4a9848004d5bd8e318c3669113b947d4c

SHA512
0e50152ba4e47f8707076184b8eecfa3e46e1133cfd495b9b2c88b2eb34912d41155c0b3ce21dbf11b7e77c9c5c5ef6ffb509a00c336beddc01aedcc1b9458ee

Download Submit
C:\KaVB90\optidevsys.exe

Filesize
2.6MB

MD5
8ca90df747c2cbde4da6c9d26bfbdd35

SHA1
65945cf5548c0d9f26558c6da88df40c995ec80e

SHA256
bbe3bb1407c3d7faf2d292953b7b8500f39773ada76ed4d6b5a1d5050010aece

SHA512
13d571adf31857713236214fe8ca4b8ce799e4864a69d6eda4b9e34ba6722eac48b014f1ab71fae0a0c6b804c4615dd7aa6053e354c3f47669b4e378ce6688ff

Download Submit
C:\KaVB90\optidevsys.exe

Filesize
2.6MB

MD5
984d1ff97608a04e3c7204c3cb933b0c

SHA1
a09a94ccba0dae84559479bbc40c0548172001f2

SHA256
6428ce232abaf4673259fc5f02697adbe32d426896b7a0a5c1d7a984cdb3fa40

SHA512
e23d738338f6f6d4a380b828548d4da96adb35ddbd0376e75c322eb1237e03fd5d381f0cec8356a05573fca3a3212ed3bc9f4618afcebfc72eed6345d5012866

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
e30f4ed0cfc99bbba90fe85314b4eddb

SHA1
3186dd32021b81860df8032f202064ce9da827ad

SHA256
d49a2f04349dc2ca3d4288cdb48605cfceeb71ba53fb80be34248cd066670ed3

SHA512
6b1012fd09b6f75d646cf405212707b2511e6aaa38b51feec8f99b82803a2628506e0eaf83f60ca9de4a813dd8da55d5ee9ed1e94a13727d3accb57ec19f5dab

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
3ce28962b244b544f19fb526300b6c40

SHA1
425d3ee080af8896e293b611ca3867cc1194a589

SHA256
e4d4de11bae75e44bece96e1004d772e5637ede8b69c81ada2a887b6b3302c61

SHA512
d7e2d9b7f01760e5703babb60ab56933c002080e136f5cc7c7e04b3b56f3ecc5b04b4765157667f44e478679b85fb43292e3653ee00daee3f290d25315e149f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
aa98acca54c1f991b054a8f063f2ced2

SHA1
f2164742552f7c1ea12f7406c909dc517470665f

SHA256
1ea520088008f315d02d81cb4165d873746868259eb317ece6359c33009b3e2e

SHA512
08b78275a58800f925a886dbf4f281dbb15675f3e75507a0299c32afefe50c3b14f9f3a32639a1aef7b651c123f206d406ef576f9e683bbe55e7cd594f7a331f

Download Submit