Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:49

General

  • Target

    124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe

  • Size

    2.6MB

  • MD5

    9feeca57632898e3da8059d8a4bc2340

  • SHA1

    5d4c5b58eb8b2e0b23edcbd7fdb5e770d01b4d3f

  • SHA256

    124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287

  • SHA512

    bead80473821d2964cb9f4b64f6c4c7736b7520cdd5ce44bd619d68738ed21d6843c043e8bd545b73ec9acc8426c13ae8c17e2448648d7381166e972ae2aa8e5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
    "C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2220
    • C:\FilesFM\xoptiloc.exe
      C:\FilesFM\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesFM\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          074df255acae097444fd0641ed4ef9dc

          SHA1

          9b7520fe3ca7d60c5f12d91baac07253ae1eef01

          SHA256

          aa08c0196ad600e29a1646cb6bd2fe2b536d571cbf2af8b4112a9584e5ae03df

          SHA512

          ad4c7024d4cc44f9eb5fee98c9c855c37244af527fb745c2e9120fe5efe1079a18ce4b803c2fb1e841ef34e4b2ffaf1bc149d1ee37bbc866fd915e08743b73d8

        • C:\GalaxR2\optidevloc.exe

          Filesize

          2.6MB

          MD5

          5e588cc1659d0a578210b4cdf8acf72b

          SHA1

          faa539374973835f337e8f7b6cfa44eb231d88a9

          SHA256

          d8052904a7dd17cdf746c406793be222d2b1e2f945f8069262ac2e8d5d9a45fc

          SHA512

          d457d07481f0815438faeb6a3ac7a9d84cc7e2a28ec9c2d276c530db3a60318172d4b32957a78a91238079415d6402a4057a9daa34a372e9ba31521d2835ff2a

        • C:\GalaxR2\optidevloc.exe

          Filesize

          2.6MB

          MD5

          dd8e9d15755d08e0dbe71e8e2751fe29

          SHA1

          8a1ebfc97f0b12c9c855f5cd5a8a89cd1c276f82

          SHA256

          1abc979f25679a214bceaf6b9de86590dca8b3ee3718eab43a0586d2755b30fd

          SHA512

          069ffe72e8c36b8f7e71d0c104ce99a6812016aeaefa1876375760ed64bc610ee9d544e6960d61d318c6194c80c8a988b429189fca46fd41c4e07e8a7f213a04

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          a67decdebf38832d6d37da7a3b4cfd68

          SHA1

          7f6040df4052efc31ce245a648ad7cca035674b4

          SHA256

          33611e614dd81d9633026b7aab3b9aa91e38d389cf76af7aabcf4a4e5623cac6

          SHA512

          a4f424722fc5be55a60b42683202e7b95cc6a8d5039e0367a95804f29eb5955ddb94a4d490303e612af4ae5c5e93797e4d62f3ae354f297f28dd2a2f5e5b113d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          5f83c9a36fb55e3aa2dbcc29af38a6fd

          SHA1

          103d324d9a0c955c8104c07e36e84755f5779e79

          SHA256

          55c2dcd34c37e97733cebf6f64c66144d0c742e82919df7e767ff9b7f039bfd4

          SHA512

          3e7af3b99d3183d3ea3e6ac602bb8a825ffd3ad3b19c83d06a81a369eead3da3a6e19d34c581ae329c2e5e966d00ba65067d80e566476a4dada7929325cf5f8d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          398e06f9791371ccbc0fe034d01151a9

          SHA1

          37d2cbd5f4dbd2912f4184e8e85f0dca4200f8cd

          SHA256

          f489960d1a8bdc395d0fcd9e45d08d7937bff45d4ad6093d289989578b9737d4

          SHA512

          628259a2f2ed6d3d28d2834f15f87e81556794b8b4c66668e473e87b7ccee9d6ec42a0c2c1f851e6e8efcc3a4792698c4b0db2eeef069b2143f133fbdbe3c2c8