Analysis
-
max time kernel
119s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
Resource
win10v2004-20241007-en
General
-
Target
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
-
Size
2.6MB
-
MD5
d144622be621aeaf92ef9dde8fc3d0eb
-
SHA1
7f743f7e5212d3135774e0ada837b5de463693c9
-
SHA256
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1
-
SHA512
c9a8865b4fe6476e2ffc64fb31dbcb2664c96c5cb423f711d86457b9e1ffcc3f0dfc5b2ca9d13efdd7dfe7cbd9a20f299bd2e1df5b9dd76e00fa00e14057009c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSm:sxX7QnxrloE5dpUpKb3
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxopti.exexoptiec.exepid Process 2008 ecxopti.exe 2424 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK5\\xoptiec.exe" bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW7\\dobdevloc.exe" bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exeecxopti.exexoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exeecxopti.exexoptiec.exepid Process 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe 2008 ecxopti.exe 2008 ecxopti.exe 2424 xoptiec.exe 2424 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription pid Process procid_target PID 3368 wrote to memory of 2008 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 86 PID 3368 wrote to memory of 2008 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 86 PID 3368 wrote to memory of 2008 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 86 PID 3368 wrote to memory of 2424 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 88 PID 3368 wrote to memory of 2424 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 88 PID 3368 wrote to memory of 2424 3368 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\FilesK5\xoptiec.exeC:\FilesK5\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD502fb20bdd01980c50ecc39ccc3415a21
SHA121b05d7466b3e146a179e81736d06bd0d10f8788
SHA25620c4aeea203e067d6894a8b48aa635df314aed05008814c963c0217bbd523c1f
SHA51254c642259bad3412d4a50a355d9d065f51b8a0b639625332a1f8ebcb4af3672b36e4c15054e4dbf24447c8dfe3912808e08946a38f6880abe21f605cb1f89f16
-
Filesize
2.6MB
MD58864b0c4fe87f28392653743d81c7396
SHA1480206a18883af03c92a2233acff4a8a03ca9095
SHA256731ee64bba07b75af8ff4c0f3fc74154255b18fdfe4991163d8dd71b3e88d13e
SHA512ef12a1fb54fcb363c634f914c7310e73a849385220015f4fb79b487e1ce2b811da94b019e8ce9fd160c36fc0b440de4c83bfa6220aa1bf75dc656390cba14c47
-
Filesize
2.6MB
MD5f9362c78ba394e10d0e555c66e50f9b6
SHA11bd0e3a82bbe969666ad46c8a8b3217be691fc11
SHA256275113c4769a2e67bb6e9fafb65c90fa2b5bba52fd6a6f2be85cabeadb14d0c1
SHA512ce3aa4f1453f65fe66f38a35ce9cabd093b86e00699d17a6e58e354a2a3f38570b32ec4bacf1d612c553f1a77622148d2d87e283c3c123ab1bc205de92db5582
-
Filesize
203B
MD5ade1294290373f7ccc21047fe19bd81f
SHA10b6e49aa89cbed2bf64c6bc6af1261fe5680efe5
SHA25664ad49cb61702173485975b2adc78f8f25d782ad930c6b71be16342d23ec378a
SHA5124d4b4ec67c6ab677723b1d8bcd80c57c0cbc5b604269eaff7a2f7831b9ef93ddc6e47c0f01a2912916ff19b4051b22690f1ce5b9cee3e1eb8a4fe21053525334
-
Filesize
171B
MD5a96e9fc442e505bcc2aa89346f892f69
SHA138e564d8d5574b2023f6624ea300519e75d8e37c
SHA2566ec52caf8872b79974f52a6e3cc4fa954c2b69ab7d3465a77c3b236da23119fc
SHA5126223214883efd27ebba73769e10410849b941d87fe38832a97d32a0a330dc32bf529dd765f1b0f20609981877655ac6baa16399e5781d15e1cc1a1b638199bd4
-
Filesize
2.6MB
MD5f29d4caebf09bf45b1a1f9f1e262d359
SHA1d71b9317a448e85bffd61810060171341e096957
SHA2561bf87b5937e2e3e0b154a642d57ad9f2e1a97050fddc6e06fbd106f6a9e4bd83
SHA512e2ffcc9229e00f3a5fdbcd5ff6a889b95d8ebf6ad9827f32184060919428731974a994ab3e3ca79878b51c314bbbdff23bda8fbabd59a9cb39ed43a7d9057e0d