Analysis

  • max time kernel
    119s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:41

General

  • Target

    20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe

  • Size

    2.6MB

  • MD5

    8598554f88f28f57e507eec02adce7fa

  • SHA1

    258703846b37011b1330d221be6840b41f5543d3

  • SHA256

    20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133

  • SHA512

    34648e1beeb3f35c1f2d5e9babd20c9773c2ccb735b859270876414bb2f9d76a24231110f4b16a176ac46b90b6f73b781144f1d01783934c1e8b1762267974ff

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS9:sxX7QnxrloE5dpUpybo

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
    "C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4488
    • C:\SysDrv00\xoptiec.exe
      C:\SysDrv00\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3228

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintT1\bodxloc.exe

          Filesize

          1.5MB

          MD5

          7685aebbee520ee7e6d333efd1ee718c

          SHA1

          799f4a8681ab88297e6aca1b5c46eb36003f7de0

          SHA256

          24c257575fde2a5a550f13c4e1d53865d3090024608211b078a67079d9e0f748

          SHA512

          68be6346390895bfdfb96c8821b3b9a2ed216133d683bdf9297abc271cb2141d2ab7296e282de6af2b51df6de5fd539960b4a755befd1d2217056b97e4f7c99a

        • C:\MintT1\bodxloc.exe

          Filesize

          2.6MB

          MD5

          01fb6eb5631536fd85f69801d41502d0

          SHA1

          7183d620daa4984c9d0c067c907cf8f04c23d4a2

          SHA256

          bf06c64df8a062b96ab1fac60e56bc8b043e0a5f3ded2b80c1f575c5f9003ce1

          SHA512

          1f22cc1ced389d16927224978bc0c156b293a1beac36600ebb58a20faa7c036cfd6fce38d83b94baf92c1e498f93c9cffeaa9484e41d5881daf6efc7545bc6ad

        • C:\SysDrv00\xoptiec.exe

          Filesize

          2.2MB

          MD5

          18bcfbdfb22049e8ef9bbb811f53fbd5

          SHA1

          de4e68aa4a48c82bbb3ec75d8367835ada7c8314

          SHA256

          1f43ff858519767cf0549ec2133cdd376a4dd0d141dbf240f2c54d9f03f151f3

          SHA512

          91b7bf6bccc52ac6962ae9aaee6838386d28cf0b2a774b68681ec5f40acd6672cf8ee68914230cd9e0efd83b0563b6b68143ada6170456772fe22084a012e94c

        • C:\SysDrv00\xoptiec.exe

          Filesize

          2.6MB

          MD5

          63ec74a98bc7c751cdb78170fa9c5e4d

          SHA1

          9dffd8d0dc5a7c565442375b7af4a242b3b19272

          SHA256

          86a50e7790c229b1051cdc9c138b6cfe5d42e6b098c81c84ff7371fd398f9700

          SHA512

          a46cfc51d54902ac1844aa54c1dc13b1d52b13aa7c0a902608037ce05afca1becb6e7c933e92fced39e29f2596e2247999ae7b19251da8135a5124473ba9df0b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          dae381593b55e76e4142be306b410391

          SHA1

          4f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6

          SHA256

          317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4

          SHA512

          1cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          cfe262e905918b197fecda1a1a0bde8c

          SHA1

          87a2aae98e839911f138cb6ee09afb99bea0417d

          SHA256

          7f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff

          SHA512

          da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          7b87de00ba9f33ec10f61c0f481c69cd

          SHA1

          fe3d7a251abdbd5094a14b9b3e538b2706597a8d

          SHA256

          0ec37a21cc3485b5b2bf0be962cbc10b94adfc314eb82498669448d8359e02bf

          SHA512

          4896af2ea60ba0e5beb74efded5e14fdee806dfae8094cdd3d328eee73059d1356e4418dda5d68554ebe72796b6b45d9f0ba732c9f3df969018cafc40bdeba19