Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:06

General

  • Target

    64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe

  • Size

    2.6MB

  • MD5

    8b8953477fc1a7b1c477705dac753fa1

  • SHA1

    5d8eb49842577eb6a65efb20538f7bd3ce921abe

  • SHA256

    64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987

  • SHA512

    7ae486a1db0324e9afa38ed98256e59a23eb92806fad29352c7a211f7ee8354350982e6a72147d9ceca164c4a0b21658aa58bc53b3fd0d530f173814226a0681

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
    "C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2348
    • C:\IntelprocH4\aoptiec.exe
      C:\IntelprocH4\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Galax53\optialoc.exe

          Filesize

          77KB

          MD5

          881b44e9c4c7d641a48b98741755d22a

          SHA1

          9209a66b4240ba99c65144e8b2c49b20a524dc96

          SHA256

          eee65d8ac29c18cb321742a0a302c0eb9e5895599eaea69ba1fec23bfafb492d

          SHA512

          60ac77096914af561c4e706c78ee7b811abd8b82093142ed71ed549d25f3620ae7aa4f99e1294f9a1aaef5771c5f736ca0ed9b7ca893674b6831ae1f02d56095

        • C:\Galax53\optialoc.exe

          Filesize

          2.6MB

          MD5

          c84c2b623d2bcc3904ec141ac0690abb

          SHA1

          cabf8a3a013522ccead3bd1790ce5a2a2ebb2422

          SHA256

          436b4c7313dcbae554a30ff4d72fb06502b33e7ddf0ff8a4f3d1d2a6418b69d8

          SHA512

          01cdc18d890af3ca96bbf31f4efdae8ef85ede7d68139ab5e0a8694d2623c2f482d91b1ad99cdb966efad16a003788ccafbc543e4684fc5ba77398ecc7171c0d

        • C:\IntelprocH4\aoptiec.exe

          Filesize

          41KB

          MD5

          9388e57ebbb164d5da77d8feb692e28a

          SHA1

          b42da051aea4b078bc43d7da99fd80d71913921b

          SHA256

          55916fe98ea4c5992f2107885b71299bdb2a3b2deb4dd643272e8eeb036ad801

          SHA512

          3968aaff78df58acb63d77ea4f77e4c8849eac43e0deb8bf2e6ca5c2d14d91d559edaa135ad13afb487838fdb82f8a16020d95bac4ccf941d79a3c8620efe400

        • C:\IntelprocH4\aoptiec.exe

          Filesize

          2.6MB

          MD5

          85571bda80171ae3c4a346580e4a2055

          SHA1

          eea0e5934a756363cdf560e456cccd7434569d9b

          SHA256

          02680acc39a51c9ffe2de44210c55ea86acd065d7b82b90ae0ade57f776361cd

          SHA512

          443d5fd94b9feb6633705a63e27852887230136bc8a507f43fe3635b12bc5b65273c2b539b404ced846e037e8a87f2a3d17c83aa4ee796214fb4130f6a8287e0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          c0d5a9b3cccd7f1df7d9e44cb0fac432

          SHA1

          ead410751c4fd1b5cf9684b8021cf7ed9cb0ccf5

          SHA256

          2969a387ef31091fabe461ea28a1779acdb93c747fa4cbe5f8d5ea6df1a823b1

          SHA512

          045fbeadeb37c72a2d35dba58312134e73989c701bdfba20ad7bc978d3ba1418fc8af9ad09adeb1f4d3263952a45f4ebd08a0ac189d447e67223f701faddb28a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          82283367fc8a0db4a423581ff57e59e3

          SHA1

          0fb673c8049b0ed065d9b130968ddf8d9051d140

          SHA256

          56442c4b71cf38d16ba15dcc7fbc184bc2e9fb179dec5d6d2e57210d1e6ea0e4

          SHA512

          e60c71fe7b34671f3ec16992e9916837de8de87b0cf45a7e08e8bca4a0929be8d3722a7185bc442a968a2a037215ba0335133386df0641485bbaf6265ef7748d

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          3fd06005381c363f2d49c1d0e4b13ca7

          SHA1

          d28e3890eb2f475abd3357c5ace7106b11ecbdeb

          SHA256

          595b3232a346298938521d066330453a4795c4d0c9a0a9382aac2c44cbf02fdb

          SHA512

          b80a879672899e9f5f0c9a6a95c8c3bf36a267ff501d4010517886a73d25385cc5686f70a6de32eab729b4bc487d61ff0b2fde8c1367f2f5294e9d4cb7f444dd