Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:14

General

  • Target

    a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe

  • Size

    2.6MB

  • MD5

    51cf53d7fad47c7b153aebc19cdc4e5d

  • SHA1

    4353613c56c626331851ce11667c9e2438767653

  • SHA256

    a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296

  • SHA512

    cda0a3e112409544605903d2ef48f61ac47017227de2ab7aedc46f8268b5698c78d3fdfd3be67319790d6b75f45561f67266990c621bd5e2c0f714763bc45bf4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpfb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
    "C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2200
    • C:\SysDrv00\xoptiec.exe
      C:\SysDrv00\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintT1\bodxloc.exe

    Filesize

    2.6MB

    MD5

    129599ba510ea653722910fcbc9253d9

    SHA1

    3cd496d0fca274db75a0b1b76a3585c0a840137e

    SHA256

    47f3d908978979ba00ba93d68c1b5efbc172acf08251496a5c7536dc082b2b6f

    SHA512

    8528b3a6c6cf2645be128aeafa8d6283302ccf84524cb6cae37a16f4e17d772fcf4dd40b007eab1690834bf8a90549d5343662c5349153f0f5df243bece7dab5

  • C:\MintT1\bodxloc.exe

    Filesize

    1.8MB

    MD5

    bc680fc8f9d8d64816d2f12a4c0d1192

    SHA1

    58ae45ea947ab947e976865459de13cb2bd57ec3

    SHA256

    004b8ce25845f53fe25b0fc5c61510b0962c8322708ced0a0100132e5d31a742

    SHA512

    77a4cdc27da2dbe80faa71e00ed083448cec03075267a986e123087f938d635729162071123a81febe3a73c8d4c6e2734d5dc3f7fdaa1931e9210462b7482704

  • C:\SysDrv00\xoptiec.exe

    Filesize

    2.6MB

    MD5

    e7e26dd14c956753857af1762a75ee65

    SHA1

    c8aaca694c53fe03cb85ff8d34cbadf5fad9cfdf

    SHA256

    5ba698d51881ceb2485d8cdc644af536a581c1f032504ca1163251f296aebe95

    SHA512

    d66331cbe76c294b10a0439c8853aeeb75c83462f4420b319dec618fdcc898a4bb1c0bc53b5438c72ec4ff4778c8b603f371ff59d9ede89c3bae4891f198d19c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    dae381593b55e76e4142be306b410391

    SHA1

    4f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6

    SHA256

    317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4

    SHA512

    1cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    cfe262e905918b197fecda1a1a0bde8c

    SHA1

    87a2aae98e839911f138cb6ee09afb99bea0417d

    SHA256

    7f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff

    SHA512

    da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    241f682e557746445054ec1aae95cf80

    SHA1

    a772c8affd08be56da03cbd7c8c1f0713bae91a2

    SHA256

    06b60b883755d8b0aecf74a4562e30a1c6731f8cc1bb87e90b72afc049345d5c

    SHA512

    57ea8098b55a4fc352c7c5d1c8bbdcd789eb0d99ac87d698f53387e9d5de202c012ae650e5fd122d682a76a5aee982eef59250a08eb4377827900a56e0f32334