Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:18
Static task
static1
Behavioral task
behavioral1
Sample
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
Resource
win10v2004-20241007-en
General
-
Target
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
-
Size
2.6MB
-
MD5
8cd708d12f6a6e34ff0a7bd37917ca30
-
SHA1
ceaaac2eea1454143243b411916c12411ac09cc0
-
SHA256
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47af
-
SHA512
f4b9ca0d5ae58d63952432650beabb4abd354db7d7b265fd02ba39016519ca23aa602b3314f98aabfcc4edb8797612f7e1813f034d9628a06184f09abdb21960
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUpabV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe -
Executes dropped EXE 2 IoCs
pid Process 5064 ecxopti.exe 2680 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK5\\xoptiec.exe" 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW7\\dobdevloc.exe" 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe 5064 ecxopti.exe 5064 ecxopti.exe 2680 xoptiec.exe 2680 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1384 wrote to memory of 5064 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 89 PID 1384 wrote to memory of 5064 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 89 PID 1384 wrote to memory of 5064 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 89 PID 1384 wrote to memory of 2680 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 90 PID 1384 wrote to memory of 2680 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 90 PID 1384 wrote to memory of 2680 1384 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
C:\FilesK5\xoptiec.exeC:\FilesK5\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
721KB
MD5e758b9f9d8ef17192e5cc7dd769b0ac0
SHA194db66604d2fc993a988adf2718500fd9d14b3fb
SHA25647fd684fe89acfbb5f9f026c4d834a600b6865c24adfba89ede1353ec88d06ee
SHA5124c0c0ea9d4387f755014c160390c1a388987e9b72abbdaa06af1b586171231b038ba06b33c853d7c57d0532b490933ff8df0230e63e8ff03c73d54391b33363a
-
Filesize
2.6MB
MD5669f4098400ac239304dc1415a2089c9
SHA111aea35c62892aeb9f55e92b20b75982f679bfa6
SHA2564cc3fe013a9cee5af8a1964b16436d31cf1d915df9120bfdc6e9913ef1e6637e
SHA5121d11b6d0de18ab066adf911f70efcf9a117b48f297aba67919100865e7ecb15b944f144a03646119e42b7f1c94968605e8c28274d58447ed384e7be5a69f223c
-
Filesize
2.6MB
MD577b6da6137115a901eee3d3bb78e98f7
SHA172b608be11a78700ed726f4eae711d7dddc78d42
SHA2569c9398d90d04b7382dd42255f9a77639095cf16069811987139c0b528d435317
SHA5124e3155c872e23c00fb249909172813dce5d8a1eb87ed7f2f8b19ac0f3847f6a413363a07146e795450065243d510869a8ba2c6d0a80826df4becbbc7184299f9
-
Filesize
2.6MB
MD575acf949635f436882d1009cbaca9270
SHA1dbf5960d912dd9069425f2efdb6e6aa45627c773
SHA256ddd4e9523097a9bc451379797f2b19c3faf1b2075b5204453d0f44d2dd71d5c6
SHA5121b6c31a07c3f2bbb4fd22d775950c514879d3b8efab1dd4b1332a324863a0d3da2fbc43290bc98e40c886876e1c336379586c68abd2744e06cb764ece9e08116
-
Filesize
203B
MD5ade1294290373f7ccc21047fe19bd81f
SHA10b6e49aa89cbed2bf64c6bc6af1261fe5680efe5
SHA25664ad49cb61702173485975b2adc78f8f25d782ad930c6b71be16342d23ec378a
SHA5124d4b4ec67c6ab677723b1d8bcd80c57c0cbc5b604269eaff7a2f7831b9ef93ddc6e47c0f01a2912916ff19b4051b22690f1ce5b9cee3e1eb8a4fe21053525334
-
Filesize
171B
MD5a96e9fc442e505bcc2aa89346f892f69
SHA138e564d8d5574b2023f6624ea300519e75d8e37c
SHA2566ec52caf8872b79974f52a6e3cc4fa954c2b69ab7d3465a77c3b236da23119fc
SHA5126223214883efd27ebba73769e10410849b941d87fe38832a97d32a0a330dc32bf529dd765f1b0f20609981877655ac6baa16399e5781d15e1cc1a1b638199bd4
-
Filesize
2.6MB
MD571de68e0dd8b9954275ef5127fd3eb29
SHA11b07488676efd48f6df64d37746a79c1b71de6b8
SHA256104bd7ba998333774dbc42ce37c2ed99711cb1f9bcf5e39909f762ae9c16b179
SHA512b7de44e87aab87e1a0d2465836972da4783e275c1c7299d505dca93f9c117a495ee706e15fdb3ca15fda9064aa4ff92d7921754012d9dd1fbf29b7789184453d