Analysis
-
max time kernel
119s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
Resource
win10v2004-20241007-en
General
-
Target
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
-
Size
2.6MB
-
MD5
5955894ce47de5b99b03d90389b59250
-
SHA1
c73c95d66795c9c24135a35dbac3fb33fad06291
-
SHA256
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbc
-
SHA512
3b23ff5f5fc766835c7145394677e31440a716b9e4bd6ac1d2f68e2c1eaed2cfb12fac5c1e6e64dd5aa5b15cdb1a4c3b27eebf2d90728a8008be5cf38080d571
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
Executes dropped EXE 2 IoCs
pid Process 4380 ecxopti.exe 3624 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVV\\xoptiloc.exe" 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGQ\\optiasys.exe" 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe 4380 ecxopti.exe 4380 ecxopti.exe 3624 xoptiloc.exe 3624 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1436 wrote to memory of 4380 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 87 PID 1436 wrote to memory of 4380 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 87 PID 1436 wrote to memory of 4380 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 87 PID 1436 wrote to memory of 3624 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 88 PID 1436 wrote to memory of 3624 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 88 PID 1436 wrote to memory of 3624 1436 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
C:\AdobeVV\xoptiloc.exeC:\AdobeVV\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5676d3088e61c3a3c5cc184fc80eb28ff
SHA1711808a61c7b5b7876cdc19054f195fd01eff33e
SHA2565768245f669621acba07dcc230394ddd787888835f1965472bed1e012cd0a5b9
SHA51206f8904ce16dd6b26d012a5a957e51ff789be2bd599de99e8e5bc12ad6c54e37887ebe84546d4f3b53af31ca0f7d6938130c115b7bfd6b90ea66d3f580b13023
-
Filesize
2.6MB
MD5e585c9db4ade290867d9f5d8153553a8
SHA12f26d4084f98f975cd5d2bc86f8f25624ee09795
SHA2560389692e9e5230a3f5056524ca863e733120ee442b08c3cc34142fbeba77e05c
SHA51275f5dba59223d0fdf2fcb16e9f4f4b95f5d94b4c21a97a3a45724a26215b4f27bf8b7871008db2c211759166251eb5566786d4c65de56033ac08df54214ec9ad
-
Filesize
2.6MB
MD554888a51746778785649f8e54c1bc3ae
SHA18905646a7cb16b4627320e07cad6f1c9ce2babd6
SHA2569197df6fcbeb7c9d2e921fc66200c25cafc9f8b5c309a2ee5fad9fe96fb16eeb
SHA51219578794f2aeb7bdc8c97147d9333ab16781ea3be954aa67ec80d6afe9c82232cffe06dbe30234ac2b89ede93ac434565a38dc030a88e90f7ecb3cf9a117d0d6
-
Filesize
202B
MD5164fa383cff100fe7de01774c06c39ed
SHA18af7c13fbe2475af1fb7c9f77da7f0c84e34b380
SHA256f0d5494d92b01cf54fe9207409185349f63e75f7a6c7f046bf2e4c3471b58c3d
SHA51257b8baad142146d6d106584757e0de421b75b45f7315e599a2e9a829c29fb8e0b1631c6c4378fef1abfd19d35dae29251f6cef62d4977d4720def0c3dfaff5b4
-
Filesize
170B
MD56fd3c3ca20ff86d72f20e5d57f204f8a
SHA1e259f4cc5950fdf3ad3f36dffd1fe1fa56b75f0b
SHA256904ef58f6e1aaea782a3d572333e175ebd11b17325c426c215ef50467bf09df3
SHA51217cc3ae1ecaf1fbb8d2f3e73fe8d2a795510f2ea392043768173196072cd2dde02f1954e2e92c33588bf8bd51398bef2e8f1e9c4eb6dd1fc62f18099d05b51e8
-
Filesize
2.6MB
MD56bb29155239750101fad4ff8c09190c2
SHA157dce6e588e17f6cb0d1f8d9eb125465f01999cc
SHA2562ff8e50905654ba1bb780d1f0823ce0135bdcc475d199b030e7476dad6b80f91
SHA512ac0465f62a6ea293457bffe969d87d36a7d0e5b6468f3379ffed7f1ab8ecc34fd1ed226d430849b873db029a471362ca928731254f70456467a1f39807ab3eb9