Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:18

General

  • Target

    599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe

  • Size

    2.6MB

  • MD5

    8cd708d12f6a6e34ff0a7bd37917ca30

  • SHA1

    ceaaac2eea1454143243b411916c12411ac09cc0

  • SHA256

    599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47af

  • SHA512

    f4b9ca0d5ae58d63952432650beabb4abd354db7d7b265fd02ba39016519ca23aa602b3314f98aabfcc4edb8797612f7e1813f034d9628a06184f09abdb21960

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUpabV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
    "C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5064
    • C:\FilesK5\xoptiec.exe
      C:\FilesK5\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesK5\xoptiec.exe

    Filesize

    721KB

    MD5

    e758b9f9d8ef17192e5cc7dd769b0ac0

    SHA1

    94db66604d2fc993a988adf2718500fd9d14b3fb

    SHA256

    47fd684fe89acfbb5f9f026c4d834a600b6865c24adfba89ede1353ec88d06ee

    SHA512

    4c0c0ea9d4387f755014c160390c1a388987e9b72abbdaa06af1b586171231b038ba06b33c853d7c57d0532b490933ff8df0230e63e8ff03c73d54391b33363a

  • C:\FilesK5\xoptiec.exe

    Filesize

    2.6MB

    MD5

    669f4098400ac239304dc1415a2089c9

    SHA1

    11aea35c62892aeb9f55e92b20b75982f679bfa6

    SHA256

    4cc3fe013a9cee5af8a1964b16436d31cf1d915df9120bfdc6e9913ef1e6637e

    SHA512

    1d11b6d0de18ab066adf911f70efcf9a117b48f297aba67919100865e7ecb15b944f144a03646119e42b7f1c94968605e8c28274d58447ed384e7be5a69f223c

  • C:\GalaxW7\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    77b6da6137115a901eee3d3bb78e98f7

    SHA1

    72b608be11a78700ed726f4eae711d7dddc78d42

    SHA256

    9c9398d90d04b7382dd42255f9a77639095cf16069811987139c0b528d435317

    SHA512

    4e3155c872e23c00fb249909172813dce5d8a1eb87ed7f2f8b19ac0f3847f6a413363a07146e795450065243d510869a8ba2c6d0a80826df4becbbc7184299f9

  • C:\GalaxW7\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    75acf949635f436882d1009cbaca9270

    SHA1

    dbf5960d912dd9069425f2efdb6e6aa45627c773

    SHA256

    ddd4e9523097a9bc451379797f2b19c3faf1b2075b5204453d0f44d2dd71d5c6

    SHA512

    1b6c31a07c3f2bbb4fd22d775950c514879d3b8efab1dd4b1332a324863a0d3da2fbc43290bc98e40c886876e1c336379586c68abd2744e06cb764ece9e08116

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    ade1294290373f7ccc21047fe19bd81f

    SHA1

    0b6e49aa89cbed2bf64c6bc6af1261fe5680efe5

    SHA256

    64ad49cb61702173485975b2adc78f8f25d782ad930c6b71be16342d23ec378a

    SHA512

    4d4b4ec67c6ab677723b1d8bcd80c57c0cbc5b604269eaff7a2f7831b9ef93ddc6e47c0f01a2912916ff19b4051b22690f1ce5b9cee3e1eb8a4fe21053525334

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    a96e9fc442e505bcc2aa89346f892f69

    SHA1

    38e564d8d5574b2023f6624ea300519e75d8e37c

    SHA256

    6ec52caf8872b79974f52a6e3cc4fa954c2b69ab7d3465a77c3b236da23119fc

    SHA512

    6223214883efd27ebba73769e10410849b941d87fe38832a97d32a0a330dc32bf529dd765f1b0f20609981877655ac6baa16399e5781d15e1cc1a1b638199bd4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    71de68e0dd8b9954275ef5127fd3eb29

    SHA1

    1b07488676efd48f6df64d37746a79c1b71de6b8

    SHA256

    104bd7ba998333774dbc42ce37c2ed99711cb1f9bcf5e39909f762ae9c16b179

    SHA512

    b7de44e87aab87e1a0d2465836972da4783e275c1c7299d505dca93f9c117a495ee706e15fdb3ca15fda9064aa4ff92d7921754012d9dd1fbf29b7789184453d