Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:22

General

  • Target

    f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe

  • Size

    2.6MB

  • MD5

    41900496309d72e11d5af391a8b889b0

  • SHA1

    4bf4222d730078646fb1fc6293836e7d9673ed9e

  • SHA256

    f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4ef

  • SHA512

    0eeb36e21ab7af47c471a9cc1bcbd182143763048527020f55ed5d35460b512fb4202b3c751dd3849cdd1b56400d3dde280ee22ceec1ed6cac4509b4d51a51b5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSq:sxX7QnxrloE5dpUpjbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
    "C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3204
    • C:\UserDotBI\abodsys.exe
      C:\UserDotBI\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotBI\abodsys.exe

          Filesize

          20KB

          MD5

          12f25a7475deb27ed1c7ba2abd7760c3

          SHA1

          81432be178d9c134a354ff0cc96fa692d48bfa91

          SHA256

          377ba83ba13124a6838b1c6d595bdedafd8d941394d202a678449a01976481e8

          SHA512

          c2c052efac626bf81fb22548859df986096300445a29a77efd85186e8ca4b255812414c4909723ed38053f1db401ccd3a487a75ad0e9bf09a9437b0d9bba44fe

        • C:\UserDotBI\abodsys.exe

          Filesize

          2.6MB

          MD5

          4bca11723d3341ab8cbc4889ff742371

          SHA1

          b97db9a5424d228c0eb864538e0aa7215d61db53

          SHA256

          78ae174811d6a4eb55834c6508c475b31ad2da4e18e74ff9a01befb54e7474b8

          SHA512

          89c79afaf4fdd4845046251a451c387a52adee42d23f6610ca3cca4fb3161a1059885ed1dbdbc5814da6df5f2f194e7ca51e3d92339febe72afe51d3569d0134

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          c15253e2da3aa59e318db7dd9f19d804

          SHA1

          59e378807e33569fcf47ec708103a5d1ea381a4e

          SHA256

          a81a5abe41743aa49cc4afe3a3aacf9fd0d00e0f22ca21b83dc0b8a6047e2841

          SHA512

          f6cd8615188f425ec062459518d86c8b9a50f5f0b2926cc4e3fb2c6bba030fc43e851aa8f6a7f050f1297a68c6d1e78bff9b5b8c8f3600f42e7b28b1d8699207

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          a03ef2cc9e7f4d9e6a59dba84d68e1f3

          SHA1

          432d7c2c7b4de2264b59f86e96404f7bd285a118

          SHA256

          1e0c50f932cafe8141310deb5c89b3f418c92781c2d8aefc442503c12b69fc85

          SHA512

          810e9248023b55f9a08eec365a19cd3fcec3b71158ee510ca026587fd6c079ff2fb2e772ceefca9db23dcb941f8497ed76ffc81177ba902c331f1516fc757316

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

          Filesize

          2.6MB

          MD5

          2eed14689fd0de57ea523cd36b4d2532

          SHA1

          d82f7c6d1f04619eae9b6ed48396978446e6ee5e

          SHA256

          e1f46e2748d0a14d40654f76cb40c91137f669d52bb27b3c4cff36cb97c080d6

          SHA512

          4adeb8b62ec3eee9050a01d4dc7dfe9d1b5a345d93ad76eba3fff3735d6b9eca03dc20ea1e6c380b5757684744056b2be0be67059551e3a3e4ae1c1b257ce5c5

        • C:\VidQX\optidevec.exe

          Filesize

          155KB

          MD5

          c0c2eb0225f18417822dd98a1cb54094

          SHA1

          9b5a7c21c4e1bd35e1ec2eeaf198a451d90bca2c

          SHA256

          c42e2fe350e4cd91c27aa81f1888da5236dbcb579de9961d515b36be4e0e46ef

          SHA512

          111abd79181889d49911bb3a0821a58394b3bcef6eb850846ff9b2c8b56071106dcfa03f190d88bb5b249e53b794c40444a75071eff184e9f2378188c0c281f6

        • C:\VidQX\optidevec.exe

          Filesize

          690KB

          MD5

          45487bdf32a00d792f6b4281499548a8

          SHA1

          3f96bffe068fdbc7ecaedf9b342fb4f553220fe2

          SHA256

          711e32a255f116bb63cc1e30cb9c39780ca75dcdc721a7030ad660843adfdd7c

          SHA512

          161a61acd5a96811e242fafc197434df0af3b35fba194f64e08b88c01682e512d5175ed397d5194a9eebf24014435b8bb16bb7acdbc78ed5d5c9fc60d8ada11b