Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
Resource
win10v2004-20241007-en
General
-
Target
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
-
Size
2.6MB
-
MD5
5961d71e56aff2077db69081b8c39790
-
SHA1
72ea7877fb7c7d8ce6ddfbeb6b069db882b6371e
-
SHA256
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96
-
SHA512
409b08609094b4522e1bf8ec98b153f2e760a0094413745b54a40b09f632d9a4050467f5748547d79b6d8a8bdec1d32ffc3dd99da7fb2620e36988867d658a8b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSi:sxX7QnxrloE5dpUpZbF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxbod.exexoptiloc.exepid Process 3304 ecxbod.exe 3012 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCJ\\xoptiloc.exe" 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUD\\optiaec.exe" 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exeecxbod.exexoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exeecxbod.exexoptiloc.exepid Process 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe 3304 ecxbod.exe 3304 ecxbod.exe 3012 xoptiloc.exe 3012 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exedescription pid Process procid_target PID 436 wrote to memory of 3304 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 86 PID 436 wrote to memory of 3304 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 86 PID 436 wrote to memory of 3304 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 86 PID 436 wrote to memory of 3012 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 87 PID 436 wrote to memory of 3012 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 87 PID 436 wrote to memory of 3012 436 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3304
-
-
C:\FilesCJ\xoptiloc.exeC:\FilesCJ\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5cd38ea1425038fb4a83295e22068627f
SHA1c8ada64f61bbc8109a200c402bcf2ae904d1afa9
SHA2560379adcbe3ec8c50c84781d6b9a23b7d41abcce66142788f269f51adfb5f76e5
SHA512bd00206c4f9f815c18f312c189dcaf1eb3dc5aa31a3c4fd580030bcfa40c9941224b7620e278b1cb983b4bbb55a79280c63f97ef1dd0deffa6b4f51be8482442
-
Filesize
2.6MB
MD519e188be67d20cc28e25fbf358eb206e
SHA1a2ac27bbd71aed8ca528bddd266cfdbdd7d30b25
SHA2560e64784bfca21e66ddc21a753f9f5d5e078adaf3969892b7b6c12dd0280719f7
SHA512c3518eb111453bbca6491e46b6f54e415a9ea319a0af7bf79513545173505d4b3470a544017437c3a43bf8e5dea7cd597c7d97a2d9d46eb31de3631185033aca
-
Filesize
2.6MB
MD5cb4089b36c9a32dc5ba4b0ac72b14f64
SHA151d577671c09042ccf27bff1ca9ef8ac13333ec2
SHA25637f6dcb1771ce9f40e48ee83e3e1246ff946aa5f4f2d99ae5908810d661862f5
SHA512bd32229f8bf03d4fbb5b8be58fbaeba120ce6a06cfb59953526dbdff7673330e7c79f6ae909e34096cd63f065193b3670815b8759a5b00d96be0d9c5cf3e5963
-
Filesize
200B
MD58f1748ff3cae61593467212356bc1610
SHA1a40e46831839ebc87b58e00d063103b76223b7ee
SHA2567d8997ddb4a0b3e44d24217d4d5cd6df092fc6401b4169b4b3c4bba3e92daee0
SHA512f026183f303d29f7b45993c9a9167f8ca7349e21197bbedefd0cc913517c2cdc1cc90298698f89865970114dc37d14b5b92408505c4ad5d3c7e1308664433c5d
-
Filesize
168B
MD563db966d4e80a7e95d88748185d0e591
SHA1f081de391d73530187ca2c59dd9cdca7cae9d2b8
SHA2569b7b5f1fc32ad998d4c8a02638e1b1c2bf8244167cabb0cedddb540f60d02fe5
SHA5125b7950c410d76c11c90c9752d77732f80b30e2616caf55b8fd1a56ecef33b1524e3aa9db7e04d16f2551568b63ab1bb63dcc97f99c6e7c5da6aed9c485d6affb
-
Filesize
2.6MB
MD5906ca7fc9e6ab036b73f04e0f181c471
SHA1a00147087799bfd674a0d58b09313f9f719757c3
SHA256b39277964262f9cad8ddd384dce50241eb366db4fe897de8f1d71b7c000c53da
SHA512eb8527e59cd3c45017479a6480a9101ea77917f770e9135b79c121674d8a6e86e52540b20d5ed4c13a074c0a4777d685d99ef5ad192f16b7ff10897a7cdfe0eb