Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
Resource
win10v2004-20241007-en
General
-
Target
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
-
Size
2.6MB
-
MD5
9feeca57632898e3da8059d8a4bc2340
-
SHA1
5d4c5b58eb8b2e0b23edcbd7fdb5e770d01b4d3f
-
SHA256
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287
-
SHA512
bead80473821d2964cb9f4b64f6c4c7736b7520cdd5ce44bd619d68738ed21d6843c043e8bd545b73ec9acc8426c13ae8c17e2448648d7381166e972ae2aa8e5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe -
Executes dropped EXE 2 IoCs
pid Process 2220 ecabod.exe 5084 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFM\\xoptiloc.exe" 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR2\\optidevloc.exe" 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe 2220 ecabod.exe 2220 ecabod.exe 5084 xoptiloc.exe 5084 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4056 wrote to memory of 2220 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 87 PID 4056 wrote to memory of 2220 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 87 PID 4056 wrote to memory of 2220 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 87 PID 4056 wrote to memory of 5084 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 90 PID 4056 wrote to memory of 5084 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 90 PID 4056 wrote to memory of 5084 4056 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\FilesFM\xoptiloc.exeC:\FilesFM\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5074df255acae097444fd0641ed4ef9dc
SHA19b7520fe3ca7d60c5f12d91baac07253ae1eef01
SHA256aa08c0196ad600e29a1646cb6bd2fe2b536d571cbf2af8b4112a9584e5ae03df
SHA512ad4c7024d4cc44f9eb5fee98c9c855c37244af527fb745c2e9120fe5efe1079a18ce4b803c2fb1e841ef34e4b2ffaf1bc149d1ee37bbc866fd915e08743b73d8
-
Filesize
2.6MB
MD55e588cc1659d0a578210b4cdf8acf72b
SHA1faa539374973835f337e8f7b6cfa44eb231d88a9
SHA256d8052904a7dd17cdf746c406793be222d2b1e2f945f8069262ac2e8d5d9a45fc
SHA512d457d07481f0815438faeb6a3ac7a9d84cc7e2a28ec9c2d276c530db3a60318172d4b32957a78a91238079415d6402a4057a9daa34a372e9ba31521d2835ff2a
-
Filesize
2.6MB
MD5dd8e9d15755d08e0dbe71e8e2751fe29
SHA18a1ebfc97f0b12c9c855f5cd5a8a89cd1c276f82
SHA2561abc979f25679a214bceaf6b9de86590dca8b3ee3718eab43a0586d2755b30fd
SHA512069ffe72e8c36b8f7e71d0c104ce99a6812016aeaefa1876375760ed64bc610ee9d544e6960d61d318c6194c80c8a988b429189fca46fd41c4e07e8a7f213a04
-
Filesize
204B
MD5a67decdebf38832d6d37da7a3b4cfd68
SHA17f6040df4052efc31ce245a648ad7cca035674b4
SHA25633611e614dd81d9633026b7aab3b9aa91e38d389cf76af7aabcf4a4e5623cac6
SHA512a4f424722fc5be55a60b42683202e7b95cc6a8d5039e0367a95804f29eb5955ddb94a4d490303e612af4ae5c5e93797e4d62f3ae354f297f28dd2a2f5e5b113d
-
Filesize
172B
MD55f83c9a36fb55e3aa2dbcc29af38a6fd
SHA1103d324d9a0c955c8104c07e36e84755f5779e79
SHA25655c2dcd34c37e97733cebf6f64c66144d0c742e82919df7e767ff9b7f039bfd4
SHA5123e7af3b99d3183d3ea3e6ac602bb8a825ffd3ad3b19c83d06a81a369eead3da3a6e19d34c581ae329c2e5e966d00ba65067d80e566476a4dada7929325cf5f8d
-
Filesize
2.6MB
MD5398e06f9791371ccbc0fe034d01151a9
SHA137d2cbd5f4dbd2912f4184e8e85f0dca4200f8cd
SHA256f489960d1a8bdc395d0fcd9e45d08d7937bff45d4ad6093d289989578b9737d4
SHA512628259a2f2ed6d3d28d2834f15f87e81556794b8b4c66668e473e87b7ccee9d6ec42a0c2c1f851e6e8efcc3a4792698c4b0db2eeef069b2143f133fbdbe3c2c8