bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5af

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
Size

2.6MB
MD5

5c89f18d773345dcf6dd1bb1e1134390
SHA1

1a5f354ad42290cd66201b315f4b1b8be7dc3f81
SHA256

bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5af
SHA512

c78a893c45f4267e96f713e56399aad84e251df8ac98d957f7564666be9166e2c63fed9dc6b4d24e648fa243d24b6d665914d70ae9a621a391a30242c2c858cd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpQb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	ecxbod.exe
2700	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQ5\\optixloc.exe"	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesM2\\xoptiec.exe"	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe
2364	ecxbod.exe
2700	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2364	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	30
PID 2980 wrote to memory of 2364	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	30
PID 2980 wrote to memory of 2364	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	30
PID 2980 wrote to memory of 2364	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	30
PID 2980 wrote to memory of 2700	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	31
PID 2980 wrote to memory of 2700	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	31
PID 2980 wrote to memory of 2700	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	31
PID 2980 wrote to memory of 2700	2980	bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe	31

C:\Users\Admin\AppData\Local\Temp\bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe
"C:\Users\Admin\AppData\Local\Temp\bba961500adbc587e824d99d581d15be266e4edae58905ba70716c8aed07f5afN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\FilesM2\xoptiec.exe
  C:\FilesM2\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesM2\xoptiec.exe

Filesize
2.6MB

MD5
2eb09df95ed0ae3627d88a5cee0e2b6e

SHA1
1fd46e7934e1ebfd5d2c4f998e53a6eabdaef937

SHA256
c8320e0c3f6480d42ab9b48105be6e08fc03cb5c13aef6971a9adfac897568d3

SHA512
6b6c4840ea1803659a658c3ef217658374558340bb9100adfd84275d3ed5d0dc13ea26ead96868a9fa7dda35cfe73add9dd9e5c61abf79b67c3b49ace3f428bd

Download Submit
C:\MintQ5\optixloc.exe

Filesize
10KB

MD5
a86336805b3d53c18600c251ef3cfa32

SHA1
69594cfc6347aa438b9319dfca41704cf4607aa6

SHA256
8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

SHA512
2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

Download Submit
C:\MintQ5\optixloc.exe

Filesize
2.6MB

MD5
c0fea5c3e141be92ad2a588e42768375

SHA1
0ba2fd1dec9ea3a82396cc24e9e0c3882187eb19

SHA256
f0019865e19ba4ee2f73d957e79469711abcc22a7b8c908042c104fecec45cc0

SHA512
7e8ba1319d483bf4f614c24fc1d20b4034a9fa7f4246d7547522c4b13befb49e965e983b898daf3772f4d12f17aa6d0d857246cced088634239c1f3ff92cb022

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
ea43493384fdf5edde746a7d0718059f

SHA1
e1fb2bea66ea2655443d5f2dcfee4ef689159ed6

SHA256
4e68b68ab5f05dd9cfe460bcfd8c91da6326f0c0d99c1a460297f687330bc0ce

SHA512
6a7ee9864d885e3941606c10e9af9714287d4466a8ebe7a2c25f77ef1277f14629944793de9a791213a2a24760286302ab603f1ba7a46dc301dfc2d32ba2fd6a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
907d3bc2b8788f7d1420b439c637744f

SHA1
0ae197e98819bd729be4fe0f2c1ef0b1697ab15d

SHA256
fb583ee9a8c289b0de148994b102c1b93a2c196dfb0873d3b86f20afadb5f28c

SHA512
2657acff43b1baa237fb33d96e0dafbf76c20a3a948b7f866a670acdeb3407611d53e7f71e1c3aa82d7125e12a39dd5ef5402acbf4620b7a0ffdacd58887e088

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
4531236d22eada33fd2c9d10a6cfef6c

SHA1
fb9a2b97ada026952887d8179ecae30dde6664d2

SHA256
4fbb1f27ae45c081e4c267f6c87ed1317075023fd3346fa095738f57273718d4

SHA512
1f35a70a72c7b8ee22bd62202a463ec4b9c2bb08b32baea573a0ae9330ffa4949f0dbdde1860e1f3863b83349ada5588777a0a4e1050478673a6b18a81b2fe28

Download Submit