Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:16

General

  • Target

    a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe

  • Size

    2.6MB

  • MD5

    1e6b7b2d879e371aa812a340804422e2

  • SHA1

    f8b065132013f26d96ae33528799d359860c447b

  • SHA256

    a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526

  • SHA512

    4ae97bbe846fc04accf0463eca49feb7251d5118203b270fec651bfd0233eddb7589423bfe83e328ef44745889068e6f7bd94cc61718eadf79292058f4b6769c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSq:sxX7QnxrloE5dpUp8bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe
    "C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1108
    • C:\AdobeLJ\aoptiloc.exe
      C:\AdobeLJ\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeLJ\aoptiloc.exe

    Filesize

    1.7MB

    MD5

    f40ea7c92192e16c399545d2bb7f8037

    SHA1

    06beae775a1209ad23c7e90fe2f9c1759106e93d

    SHA256

    e9a7042e033ff33b499696614394b92e9e5b460334ec6c529413a8cd556456c9

    SHA512

    df76bfd5bd572703d7c49101a7ebb55526457dc18a11d3edd59720336b3e36222260ac4046acc896d9a0484b56765cd2dcdbced1b7fc21d02675dddf1b3a6d0d

  • C:\AdobeLJ\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    7211d8678d65804f03d3156b27f57ad5

    SHA1

    d4a0d4addf88985c624d8edcd7154f0765c5f7f5

    SHA256

    b20af789ab4a7efe6ba50eaabc80a81d2a58ff71861e7ee2ed8541cea882c0be

    SHA512

    6db56794e2c64eeee6e6141296252acd9b5cc3e49a3a4369084a8f0cd2f7350d247d816b3d49c49e0416458acf5287486480675f524d79a0ab9a77e6e284d767

  • C:\GalaxZ7\dobaec.exe

    Filesize

    294KB

    MD5

    8fe14a9eb7a4cfb67064a95e7a1ef602

    SHA1

    8944f900779ff0b83f0f6f3a9f12c496d2aa6594

    SHA256

    b150409e0c1dab3b62e495d19addaf91cf5b56ea0626869e862fe4c4bd2c4239

    SHA512

    a0930909d8565d39fe31c384d65bdc2d8881c274fd6d27a04ad37799f16f44e2e633cb0888fe57dcd98ec00a59a6346b19816d6c93b3ee3f1d23c2057546028a

  • C:\GalaxZ7\dobaec.exe

    Filesize

    2.6MB

    MD5

    207777e15db797758484ec7ce7ad9725

    SHA1

    118e2d7f80f681503cb8052c07251d4870043ea4

    SHA256

    a6d7bd047c16df6a830a6d4b90aec3907cc4470f3c7f4a3ad36bf301c0f72d3e

    SHA512

    3234fd1fc352c20f0afaa3e546cf2537baa8209ae0da43915b0a023ea07eaccfc5db17d56d7b1a0504c4f281689f1095de7a592f5886fc0c1b3f4241c7b35657

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    cd38ef24ea5cb96f006d0e3ef07ca38e

    SHA1

    c2bfbfb977f18d2d2385d2c2787530e7eb7cc2a7

    SHA256

    fcc08a61dacd021b1ac88428b2608c084391a0abcc97f563f688aa20c8e14aec

    SHA512

    be282d7c62c6da2b1b666fdfffdfa5fdd10f2c9065f97a0f6a5f85731baa86fafdf48660cd06c496fb4e555502c01122b3f66d2654639e26af5193c6dceaa0c8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    e6ea5db60f39685375521c82e079d17f

    SHA1

    d68045657f6a2a625e3011277679c1f20341666e

    SHA256

    0800cc70ddc66a787c6a11fdc86ebc9668e71afc05d1b7e94dd5c1782a45473b

    SHA512

    e0fb306b25d147d5943ef508ca1d8b566501489ec97d671a70494e065b9d66423e542aa05fe59161815a6a4976d9038f04a9aab27d21f5cb13ebd71e0ae3c8ac

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    1607a92c3c22cb10e3bc0bf4face4fd7

    SHA1

    4457fca756ce66caf48865c4f793afb63bbe8a02

    SHA256

    1047eb9908913a0a3771143d8d21feec363195970849a85b71ab3bc49ea7bf6f

    SHA512

    ada13d4f07fbcf686b3c3c7b99865d73a634a2804157466cdcd0d736410ab802a828a7e45c50a3eee5ff19cac1acc366e147ef733d2b549790f18b7cc5150fd4