Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:49

General

  • Target

    04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe

  • Size

    2.6MB

  • MD5

    5961d71e56aff2077db69081b8c39790

  • SHA1

    72ea7877fb7c7d8ce6ddfbeb6b069db882b6371e

  • SHA256

    04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96

  • SHA512

    409b08609094b4522e1bf8ec98b153f2e760a0094413745b54a40b09f632d9a4050467f5748547d79b6d8a8bdec1d32ffc3dd99da7fb2620e36988867d658a8b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSi:sxX7QnxrloE5dpUpZbF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
    "C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3304
    • C:\FilesCJ\xoptiloc.exe
      C:\FilesCJ\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesCJ\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    cd38ea1425038fb4a83295e22068627f

    SHA1

    c8ada64f61bbc8109a200c402bcf2ae904d1afa9

    SHA256

    0379adcbe3ec8c50c84781d6b9a23b7d41abcce66142788f269f51adfb5f76e5

    SHA512

    bd00206c4f9f815c18f312c189dcaf1eb3dc5aa31a3c4fd580030bcfa40c9941224b7620e278b1cb983b4bbb55a79280c63f97ef1dd0deffa6b4f51be8482442

  • C:\MintUD\optiaec.exe

    Filesize

    2.6MB

    MD5

    19e188be67d20cc28e25fbf358eb206e

    SHA1

    a2ac27bbd71aed8ca528bddd266cfdbdd7d30b25

    SHA256

    0e64784bfca21e66ddc21a753f9f5d5e078adaf3969892b7b6c12dd0280719f7

    SHA512

    c3518eb111453bbca6491e46b6f54e415a9ea319a0af7bf79513545173505d4b3470a544017437c3a43bf8e5dea7cd597c7d97a2d9d46eb31de3631185033aca

  • C:\MintUD\optiaec.exe

    Filesize

    2.6MB

    MD5

    cb4089b36c9a32dc5ba4b0ac72b14f64

    SHA1

    51d577671c09042ccf27bff1ca9ef8ac13333ec2

    SHA256

    37f6dcb1771ce9f40e48ee83e3e1246ff946aa5f4f2d99ae5908810d661862f5

    SHA512

    bd32229f8bf03d4fbb5b8be58fbaeba120ce6a06cfb59953526dbdff7673330e7c79f6ae909e34096cd63f065193b3670815b8759a5b00d96be0d9c5cf3e5963

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    8f1748ff3cae61593467212356bc1610

    SHA1

    a40e46831839ebc87b58e00d063103b76223b7ee

    SHA256

    7d8997ddb4a0b3e44d24217d4d5cd6df092fc6401b4169b4b3c4bba3e92daee0

    SHA512

    f026183f303d29f7b45993c9a9167f8ca7349e21197bbedefd0cc913517c2cdc1cc90298698f89865970114dc37d14b5b92408505c4ad5d3c7e1308664433c5d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    63db966d4e80a7e95d88748185d0e591

    SHA1

    f081de391d73530187ca2c59dd9cdca7cae9d2b8

    SHA256

    9b7b5f1fc32ad998d4c8a02638e1b1c2bf8244167cabb0cedddb540f60d02fe5

    SHA512

    5b7950c410d76c11c90c9752d77732f80b30e2616caf55b8fd1a56ecef33b1524e3aa9db7e04d16f2551568b63ab1bb63dcc97f99c6e7c5da6aed9c485d6affb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    906ca7fc9e6ab036b73f04e0f181c471

    SHA1

    a00147087799bfd674a0d58b09313f9f719757c3

    SHA256

    b39277964262f9cad8ddd384dce50241eb366db4fe897de8f1d71b7c000c53da

    SHA512

    eb8527e59cd3c45017479a6480a9101ea77917f770e9135b79c121674d8a6e86e52540b20d5ed4c13a074c0a4777d685d99ef5ad192f16b7ff10897a7cdfe0eb