Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:18

General

  • Target

    52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe

  • Size

    2.6MB

  • MD5

    40a89c9c1f86c5fa732987e226becb5f

  • SHA1

    ae3dac667d036cc775a0c271bd628db6169c070d

  • SHA256

    52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6

  • SHA512

    882b9ea8fd55b355c6463664f39c30279707dd667db28e1ad8ce301dc05c8a23295ad0cf4440071f7aa13654a0dbbbfedc65d5330a2efe0768f1b7f9b0a65907

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
    "C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4864
    • C:\FilesXB\xbodsys.exe
      C:\FilesXB\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesXB\xbodsys.exe

    Filesize

    2.6MB

    MD5

    9043a689c43841a881ffa666aa9b94a5

    SHA1

    d8b5e84975f8ad886833e0e968c6ac32c370b384

    SHA256

    2110f0b4333f9ed98b3de4d8eb20bb4dd078324f8ddc6fdc04cfc7410290ecab

    SHA512

    010074c7f25ba25b566f2cdb1234d2190cd8e71f1d9782bcfab6d3d2c876acbcbcf4d6abccad595d570a019422b5bbdefb56e7655c035425f36ed69ee72cab07

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    e149b68aadb1e7a8d4a5d93616054a19

    SHA1

    ceed2c9a42b05299d5ecc9a0ea091bab205ab162

    SHA256

    e77b093adbe728c37e8aada7749ed13ac9dda29de16f059a5a717f2dc9b71387

    SHA512

    a8d72f9e0356dd5fa44b0c0fc66ff4a871d06708f646ceaa4e9a823f279fd550a0f149475fde99f1e43ff6e7a9f2e2cad6e80de2012aafad85ad17c3994133fe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    e077d49bc1494b02eaeee565b9a47e76

    SHA1

    88167be303025f191f470c68adea3bb1d440072a

    SHA256

    ebbd83abc86975250845e582f61a2baa3c349fa5c0d926f636778b9cdce53287

    SHA512

    0a2c9177b180b5086e3d4cd6c209bea8957611912a4bd86054df3c2082e8f942fd9a675a426dcce957b32f9f70100923e2a59bfaa05f1f4e1ec7c7649fbce965

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    c19be8c156afbf4237aa28eaaf7dae58

    SHA1

    4ed79f0a39481954b7d45d2e6c3cc215e51ef3c5

    SHA256

    98ff78b705845404afcdc623e1e747c9c454674c145ede1f12e8bb2f551aa760

    SHA512

    ecbc0671b33ebb76a98b9bd291f8298a4861c4479837c9476d5935c605a785d347a313b97c4b7954c3b8c373325a94ff0117065b47d2a6127c6d4325ab0abb6e

  • C:\VidX9\optiasys.exe

    Filesize

    2.6MB

    MD5

    86dcdc7c746dd936df1bebaa92f80541

    SHA1

    80b12cea304b75359e21a307c6510f1e67536957

    SHA256

    5a38b6eed759f906fe1e7a927e3400fcf197d7cf18432bfc7ac3b1f886128d39

    SHA512

    70758e8a811e0c3aa68a2c19144296bdb2413077105a659d292f2be58b15e66e88406aab7562ab694dd527d8d1584b420e3e0e4d22be11d92ebb720c18488807

  • C:\VidX9\optiasys.exe

    Filesize

    2.6MB

    MD5

    c289535fd4b1ea2fee12772be483d1e9

    SHA1

    2f7bc4e741fda1cfc86daf038ae329809090851d

    SHA256

    dd23f41a30f70d70b9f26aedff398e4736bfef453c91fbaa8fc893c3c0594637

    SHA512

    c15ca827ae31f678da3f7aafae9e093f807554da090ae63d1f026821966e2b8bcbc9ddc56e6a3a634fa94ff779000db75179ae1cc49aeeab8bacc054d6399c63