Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
Resource
win10v2004-20241007-en
General
-
Target
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
-
Size
2.6MB
-
MD5
51cf53d7fad47c7b153aebc19cdc4e5d
-
SHA1
4353613c56c626331851ce11667c9e2438767653
-
SHA256
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296
-
SHA512
cda0a3e112409544605903d2ef48f61ac47017227de2ab7aedc46f8268b5698c78d3fdfd3be67319790d6b75f45561f67266990c621bd5e2c0f714763bc45bf4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpfb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe -
Executes dropped EXE 2 IoCs
Processes:
ecadob.exexoptiec.exepid Process 2200 ecadob.exe 3104 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv00\\xoptiec.exe" a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT1\\bodxloc.exe" a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exeecadob.exexoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exeecadob.exexoptiec.exepid Process 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe 2200 ecadob.exe 2200 ecadob.exe 3104 xoptiec.exe 3104 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exedescription pid Process procid_target PID 4792 wrote to memory of 2200 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 89 PID 4792 wrote to memory of 2200 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 89 PID 4792 wrote to memory of 2200 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 89 PID 4792 wrote to memory of 3104 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 92 PID 4792 wrote to memory of 3104 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 92 PID 4792 wrote to memory of 3104 4792 a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\SysDrv00\xoptiec.exeC:\SysDrv00\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5129599ba510ea653722910fcbc9253d9
SHA13cd496d0fca274db75a0b1b76a3585c0a840137e
SHA25647f3d908978979ba00ba93d68c1b5efbc172acf08251496a5c7536dc082b2b6f
SHA5128528b3a6c6cf2645be128aeafa8d6283302ccf84524cb6cae37a16f4e17d772fcf4dd40b007eab1690834bf8a90549d5343662c5349153f0f5df243bece7dab5
-
Filesize
1.8MB
MD5bc680fc8f9d8d64816d2f12a4c0d1192
SHA158ae45ea947ab947e976865459de13cb2bd57ec3
SHA256004b8ce25845f53fe25b0fc5c61510b0962c8322708ced0a0100132e5d31a742
SHA51277a4cdc27da2dbe80faa71e00ed083448cec03075267a986e123087f938d635729162071123a81febe3a73c8d4c6e2734d5dc3f7fdaa1931e9210462b7482704
-
Filesize
2.6MB
MD5e7e26dd14c956753857af1762a75ee65
SHA1c8aaca694c53fe03cb85ff8d34cbadf5fad9cfdf
SHA2565ba698d51881ceb2485d8cdc644af536a581c1f032504ca1163251f296aebe95
SHA512d66331cbe76c294b10a0439c8853aeeb75c83462f4420b319dec618fdcc898a4bb1c0bc53b5438c72ec4ff4778c8b603f371ff59d9ede89c3bae4891f198d19c
-
Filesize
200B
MD5dae381593b55e76e4142be306b410391
SHA14f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6
SHA256317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4
SHA5121cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f
-
Filesize
168B
MD5cfe262e905918b197fecda1a1a0bde8c
SHA187a2aae98e839911f138cb6ee09afb99bea0417d
SHA2567f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff
SHA512da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6
-
Filesize
2.6MB
MD5241f682e557746445054ec1aae95cf80
SHA1a772c8affd08be56da03cbd7c8c1f0713bae91a2
SHA25606b60b883755d8b0aecf74a4562e30a1c6731f8cc1bb87e90b72afc049345d5c
SHA51257ea8098b55a4fc352c7c5d1c8bbdcd789eb0d99ac87d698f53387e9d5de202c012ae650e5fd122d682a76a5aee982eef59250a08eb4377827900a56e0f32334