Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:03

General

  • Target

    12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe

  • Size

    2.6MB

  • MD5

    8055643b72c2a9b72f2499e0154d2650

  • SHA1

    504758b0653b2aca9a11866017e694311289ded0

  • SHA256

    12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9a

  • SHA512

    b4cca2e42cdfe0e78b40b2f580a1a4641d7fe00ce5906c80332ce4acbefe70d89b51d19834982828727eb26c002bf601c04bae9583cee9d92e0356d9207a2c02

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
    "C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2432
    • C:\UserDotUK\xoptisys.exe
      C:\UserDotUK\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:336

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotUK\xoptisys.exe

          Filesize

          2.6MB

          MD5

          6becdc36c3794aed9c20263f8dbe7791

          SHA1

          6c2a81a411de992f0c25ec7dbfa5624fef824981

          SHA256

          4c74d923245ac40864f170ab7cd0ecfb1cb8124ef0def7ad10225c388f4daf1c

          SHA512

          34266eb8ef96e946eb62e135c65dc4742c8202ef4a576f4cac1e2174e79118d2c5fafa77592a32ad0bdbecbadcb666c3efb3f6db155f1cc57abd8174e66ec943

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          6d1cff675db1b76e26080a27d196a27d

          SHA1

          8e0b82e8c5e64c0f0d12247a08e191a8f43fef44

          SHA256

          0570d9c8f07968fafcc86fa1350c8c15f316d7a9a61879956be236fc75bf2624

          SHA512

          36e9be5cedb83771f322dc0a458325e3f4337f321508c8789513d12aa6af2b8e696f9bb2aaf2c74108be296e51163a72b137df2ea60e1fe5351dd5e0be66307d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          371d2731baa9176ce83751d3d7c407f5

          SHA1

          2ce89d8229f3487449cdf28abc2a1087d88fccce

          SHA256

          2ee7f2fa73a95b9034592652e406cd987d9cb2d1936f02a2a94ddf66ac0a8144

          SHA512

          42e0c019453396720fc3640d094234bfead106b2995eeacc90965f3b35dd28708b50f8efa581c9d4929bfdc19d08252b213a2d2f3e91b7d82187292b948ae515

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          9977db21dbc1a058b2e2d12c2589178d

          SHA1

          c0f5ad30843918367fc9dc0c3731721265347f74

          SHA256

          c78c0ae53af901f6bd1fd76a2e77be8b2cbf9f8017f8cfc879d2e586ed5e9f35

          SHA512

          d9f1cd9f7579cf8066cabc62210b2570a35b01e99c6ad70fc30e4daaa6d600ee28729ee81b7ac1821a4b459810f8db2276a0a38e676a30d1ad9da9c1fef6e212

        • C:\VidR1\bodxloc.exe

          Filesize

          2.6MB

          MD5

          e9fcc5383800946079f059d203f41f2b

          SHA1

          47ae2429ab11d098f35aeb3ef590496561af7263

          SHA256

          7e14c280160271f5e42ef581acd17c95540a28d66ba0d1423749b6ee7c4b1094

          SHA512

          cd2fe8edc5765dacd9c34ca7af7e20dd450a8e9115de2258acb446802098fe6d5a6fc4a210c0891a29f8d00f5454818dff44923c889158ebc2e95ea185dfeae4

        • C:\VidR1\bodxloc.exe

          Filesize

          2.6MB

          MD5

          871e915f458fee4da6ab5747003d7d04

          SHA1

          712a43ce18a698457acb26087b3fce573eb4ceb5

          SHA256

          2ed9ef581ba55b43b26123f5bb25bd497a139fa2d7c27eb590845da3359bc598

          SHA512

          3b24f8f113c4cffbc2c5a56a649c13730fd1fc2ffaa2f885acb4c98a93c912e557df343824a6490fcbba1f73173596d912e65c754546ed03c8060594e15b785a