Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
Resource
win10v2004-20241007-en
General
-
Target
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
-
Size
2.6MB
-
MD5
d2403f45884e0fde9b26de7e4bd1c3a0
-
SHA1
5a6c9b8dc6a3f9e98d0a6680769d17854782bde3
-
SHA256
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141
-
SHA512
bcc057d3047b35f3804727f51c84e7dfef6573f9c0dc85c77fca03ee6859ba5d15553021541cfdbe2c089bc7b22587466ebbf7455dc3e671b14b9fa69853735f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe -
Executes dropped EXE 2 IoCs
pid Process 2076 ecxdob.exe 2352 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7I\\xoptiec.exe" 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZ9\\bodaloc.exe" 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe 2076 ecxdob.exe 2352 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2076 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 30 PID 2148 wrote to memory of 2076 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 30 PID 2148 wrote to memory of 2076 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 30 PID 2148 wrote to memory of 2076 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 30 PID 2148 wrote to memory of 2352 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 31 PID 2148 wrote to memory of 2352 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 31 PID 2148 wrote to memory of 2352 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 31 PID 2148 wrote to memory of 2352 2148 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
C:\Files7I\xoptiec.exeC:\Files7I\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD596d71bc48f63357d6519d94ad8f617bd
SHA1c1c8e9e2fd51f3a8ebbf71295a817d8eb6dff6dd
SHA256212fa4d62d24dbf07a9bd6fa554eba9a4f221c4c8ea9bc0addf153449e69944f
SHA512e7fe1b7e8a4ba639a5acdea473b0c9d8faf13edb359f17fc53ce9415f4513a94165708e2970626061aa068efa3f224d401a2c4b0c7bb0044d4df09325a867cca
-
Filesize
2.6MB
MD54f3fd7970df59ce9914903829e83a7bc
SHA17725d9bf00bb80c5e8885e70d5b37bcb182478a4
SHA25630763c9a1e8ead3d04ffb2b2880c6ec8e3409fd0c7647148472369afb535f2df
SHA512db0d0d90ea347c06a8cedee62a3627529b2da1402b9d3ae19def6a82852f1cce4bc4c43a189eeef92a8ddb0c59f1ee7c9dec228f77e3e174c6d0559ef56ee5b7
-
Filesize
2.6MB
MD5e913180edd070e473406dbb8fe884be0
SHA1a6ff350f7aebfea851b7107f87c4ab74f9d4eb1d
SHA25627a6405f50f9d82ad5fa873ed0feb79f0bc2cca02823768596793992f37963b9
SHA51217372db9b72a38beaac15c8dd9f9ff4704195ce1ff86eb24d1b489c121d4c4bb1235fc57d15c8ef55c127031ec0419f0bc890232ad28679c2870bb0d15367f50
-
Filesize
167B
MD53270e4295a4849f3b480a79f0d72de87
SHA1a44e7e0a448e71290ab888958e7a5f261841e128
SHA25663694d73739f549bf123d27bdfb735ff24dd49a66275c032883b809110102379
SHA512fe672691957fc51c949ebc43d77c787fa42f5a5a3c800f84337ec7fa3dae47a0aefd093d7b6dccc04410d9df3370faba7d27076ba63b4feab7d9fa871a810a56
-
Filesize
199B
MD58cc4a4fefbb5813737f2023bb3d7629e
SHA14467cd95d21badbea58b7ab8ed24c2048373a9f5
SHA256e6ec685e546fe09bfec690358a2d280d6f750aebb9e6b1faa65e39ce77533bfe
SHA5125ca98ecdbed8f3335e35b5a11ac81a918123f1a98b3e342e4d3af3d33bbabbb2f4a23c6f7c28e16c364d711624f633c5ee862b512091a74776516dbf3763a2dd
-
Filesize
2.6MB
MD5884258164a96dd50fcaee578b8b8cb66
SHA1d3f166f55c6341b10dceed7308c87c756ee82cc3
SHA25696ccf2a9fae99b4c00a5a8b0adbc41dfbf8089de278a6ede5da8e26293c66172
SHA512b4ea22cc0a9a7ac34ebb47b466c08d9c5f357d2c65c604529d4dc02b0d6350eef7c2531987cd4febe9c90a6980c0a69c81e2b3e497ded4202d4626cbf5b17781