Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
Resource
win10v2004-20241007-en
General
-
Target
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
-
Size
2.6MB
-
MD5
41900496309d72e11d5af391a8b889b0
-
SHA1
4bf4222d730078646fb1fc6293836e7d9673ed9e
-
SHA256
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4ef
-
SHA512
0eeb36e21ab7af47c471a9cc1bcbd182143763048527020f55ed5d35460b512fb4202b3c751dd3849cdd1b56400d3dde280ee22ceec1ed6cac4509b4d51a51b5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSq:sxX7QnxrloE5dpUpjbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe -
Executes dropped EXE 2 IoCs
pid Process 3204 ecxopti.exe 744 abodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBI\\abodsys.exe" f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQX\\optidevec.exe" f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe 3204 ecxopti.exe 3204 ecxopti.exe 744 abodsys.exe 744 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4432 wrote to memory of 3204 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 87 PID 4432 wrote to memory of 3204 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 87 PID 4432 wrote to memory of 3204 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 87 PID 4432 wrote to memory of 744 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 90 PID 4432 wrote to memory of 744 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 90 PID 4432 wrote to memory of 744 4432 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3204
-
-
C:\UserDotBI\abodsys.exeC:\UserDotBI\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD512f25a7475deb27ed1c7ba2abd7760c3
SHA181432be178d9c134a354ff0cc96fa692d48bfa91
SHA256377ba83ba13124a6838b1c6d595bdedafd8d941394d202a678449a01976481e8
SHA512c2c052efac626bf81fb22548859df986096300445a29a77efd85186e8ca4b255812414c4909723ed38053f1db401ccd3a487a75ad0e9bf09a9437b0d9bba44fe
-
Filesize
2.6MB
MD54bca11723d3341ab8cbc4889ff742371
SHA1b97db9a5424d228c0eb864538e0aa7215d61db53
SHA25678ae174811d6a4eb55834c6508c475b31ad2da4e18e74ff9a01befb54e7474b8
SHA51289c79afaf4fdd4845046251a451c387a52adee42d23f6610ca3cca4fb3161a1059885ed1dbdbc5814da6df5f2f194e7ca51e3d92339febe72afe51d3569d0134
-
Filesize
203B
MD5c15253e2da3aa59e318db7dd9f19d804
SHA159e378807e33569fcf47ec708103a5d1ea381a4e
SHA256a81a5abe41743aa49cc4afe3a3aacf9fd0d00e0f22ca21b83dc0b8a6047e2841
SHA512f6cd8615188f425ec062459518d86c8b9a50f5f0b2926cc4e3fb2c6bba030fc43e851aa8f6a7f050f1297a68c6d1e78bff9b5b8c8f3600f42e7b28b1d8699207
-
Filesize
171B
MD5a03ef2cc9e7f4d9e6a59dba84d68e1f3
SHA1432d7c2c7b4de2264b59f86e96404f7bd285a118
SHA2561e0c50f932cafe8141310deb5c89b3f418c92781c2d8aefc442503c12b69fc85
SHA512810e9248023b55f9a08eec365a19cd3fcec3b71158ee510ca026587fd6c079ff2fb2e772ceefca9db23dcb941f8497ed76ffc81177ba902c331f1516fc757316
-
Filesize
2.6MB
MD52eed14689fd0de57ea523cd36b4d2532
SHA1d82f7c6d1f04619eae9b6ed48396978446e6ee5e
SHA256e1f46e2748d0a14d40654f76cb40c91137f669d52bb27b3c4cff36cb97c080d6
SHA5124adeb8b62ec3eee9050a01d4dc7dfe9d1b5a345d93ad76eba3fff3735d6b9eca03dc20ea1e6c380b5757684744056b2be0be67059551e3a3e4ae1c1b257ce5c5
-
Filesize
155KB
MD5c0c2eb0225f18417822dd98a1cb54094
SHA19b5a7c21c4e1bd35e1ec2eeaf198a451d90bca2c
SHA256c42e2fe350e4cd91c27aa81f1888da5236dbcb579de9961d515b36be4e0e46ef
SHA512111abd79181889d49911bb3a0821a58394b3bcef6eb850846ff9b2c8b56071106dcfa03f190d88bb5b249e53b794c40444a75071eff184e9f2378188c0c281f6
-
Filesize
690KB
MD545487bdf32a00d792f6b4281499548a8
SHA13f96bffe068fdbc7ecaedf9b342fb4f553220fe2
SHA256711e32a255f116bb63cc1e30cb9c39780ca75dcdc721a7030ad660843adfdd7c
SHA512161a61acd5a96811e242fafc197434df0af3b35fba194f64e08b88c01682e512d5175ed397d5194a9eebf24014435b8bb16bb7acdbc78ed5d5c9fc60d8ada11b