Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
Resource
win10v2004-20241007-en
General
-
Target
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
-
Size
2.6MB
-
MD5
8598554f88f28f57e507eec02adce7fa
-
SHA1
258703846b37011b1330d221be6840b41f5543d3
-
SHA256
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133
-
SHA512
34648e1beeb3f35c1f2d5e9babd20c9773c2ccb735b859270876414bb2f9d76a24231110f4b16a176ac46b90b6f73b781144f1d01783934c1e8b1762267974ff
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS9:sxX7QnxrloE5dpUpybo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe -
Executes dropped EXE 2 IoCs
pid Process 4488 ecadob.exe 3228 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv00\\xoptiec.exe" 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT1\\bodxloc.exe" 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe 4488 ecadob.exe 4488 ecadob.exe 3228 xoptiec.exe 3228 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3736 wrote to memory of 4488 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 89 PID 3736 wrote to memory of 4488 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 89 PID 3736 wrote to memory of 4488 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 89 PID 3736 wrote to memory of 3228 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 90 PID 3736 wrote to memory of 3228 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 90 PID 3736 wrote to memory of 3228 3736 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\SysDrv00\xoptiec.exeC:\SysDrv00\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD57685aebbee520ee7e6d333efd1ee718c
SHA1799f4a8681ab88297e6aca1b5c46eb36003f7de0
SHA25624c257575fde2a5a550f13c4e1d53865d3090024608211b078a67079d9e0f748
SHA51268be6346390895bfdfb96c8821b3b9a2ed216133d683bdf9297abc271cb2141d2ab7296e282de6af2b51df6de5fd539960b4a755befd1d2217056b97e4f7c99a
-
Filesize
2.6MB
MD501fb6eb5631536fd85f69801d41502d0
SHA17183d620daa4984c9d0c067c907cf8f04c23d4a2
SHA256bf06c64df8a062b96ab1fac60e56bc8b043e0a5f3ded2b80c1f575c5f9003ce1
SHA5121f22cc1ced389d16927224978bc0c156b293a1beac36600ebb58a20faa7c036cfd6fce38d83b94baf92c1e498f93c9cffeaa9484e41d5881daf6efc7545bc6ad
-
Filesize
2.2MB
MD518bcfbdfb22049e8ef9bbb811f53fbd5
SHA1de4e68aa4a48c82bbb3ec75d8367835ada7c8314
SHA2561f43ff858519767cf0549ec2133cdd376a4dd0d141dbf240f2c54d9f03f151f3
SHA51291b7bf6bccc52ac6962ae9aaee6838386d28cf0b2a774b68681ec5f40acd6672cf8ee68914230cd9e0efd83b0563b6b68143ada6170456772fe22084a012e94c
-
Filesize
2.6MB
MD563ec74a98bc7c751cdb78170fa9c5e4d
SHA19dffd8d0dc5a7c565442375b7af4a242b3b19272
SHA25686a50e7790c229b1051cdc9c138b6cfe5d42e6b098c81c84ff7371fd398f9700
SHA512a46cfc51d54902ac1844aa54c1dc13b1d52b13aa7c0a902608037ce05afca1becb6e7c933e92fced39e29f2596e2247999ae7b19251da8135a5124473ba9df0b
-
Filesize
200B
MD5dae381593b55e76e4142be306b410391
SHA14f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6
SHA256317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4
SHA5121cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f
-
Filesize
168B
MD5cfe262e905918b197fecda1a1a0bde8c
SHA187a2aae98e839911f138cb6ee09afb99bea0417d
SHA2567f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff
SHA512da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6
-
Filesize
2.6MB
MD57b87de00ba9f33ec10f61c0f481c69cd
SHA1fe3d7a251abdbd5094a14b9b3e538b2706597a8d
SHA2560ec37a21cc3485b5b2bf0be962cbc10b94adfc314eb82498669448d8359e02bf
SHA5124896af2ea60ba0e5beb74efded5e14fdee806dfae8094cdd3d328eee73059d1356e4418dda5d68554ebe72796b6b45d9f0ba732c9f3df969018cafc40bdeba19