Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:10

General

  • Target

    424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe

  • Size

    2.6MB

  • MD5

    b7964b6f0b7d2d2e63446814b957a1e9

  • SHA1

    664f2975d8b21db19df1ea3c9325da2852d7f14b

  • SHA256

    424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d

  • SHA512

    713e89f3c805348f667ced89466ba956422cbe4e0002594583bb103620a185235a18a8bded5ee1d1b95a846e29b0d8229c7623d861700af208b1894e71d9c263

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSq1:sxX7QnxrloE5dpUpfbV1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
    "C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1036
    • C:\UserDot1Q\xoptisys.exe
      C:\UserDot1Q\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBAD\optixec.exe

    Filesize

    2.6MB

    MD5

    e2d32e683d19aa5bc48f0ef289f78fb2

    SHA1

    3e3f7d2b2d553a13bdbbf96590a6950a7e42fbaf

    SHA256

    2923c82aed49ec45fd701ccddbbccc5ef961cd1ed9f188b5e8c87469cd68a265

    SHA512

    3297d65f28abce7704b840928b56cd5eb0045c3207fe78c9f877ac469b6a847b65558430e4b1599c71ed43a165f545ed304fbe3b87c104b049d4291506633983

  • C:\KaVBAD\optixec.exe

    Filesize

    32KB

    MD5

    aa404e81fdc4946ac80a30fbf1b10c14

    SHA1

    ed71e23df81576b945ef2f6e00f8f5b35f6a533b

    SHA256

    93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79

    SHA512

    3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0

  • C:\UserDot1Q\xoptisys.exe

    Filesize

    2.6MB

    MD5

    ab02a8e5957659c7b7627d9657d7f4c7

    SHA1

    474c6da14c211a5dd8677ae3f956a369159c1c78

    SHA256

    607aa8c0a3e0d76f8c7add7371368a7caf1eb63075ab56128a9ff0555aedb221

    SHA512

    c7367c39a099663b234b7da179967fe09fb5ecfacacab170ee658570a0b6fef670d98ce0481a217f75444371bfb2b1ef444ac680f479fce45f8bb452b633b9a5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    eae3d9304f30728a392b8f462ad11689

    SHA1

    e05b0d20656628648014cd8a5b9ccb8e311fa6f9

    SHA256

    1081a2d6f89f72d77fcd4381ccc36b1196adf8a6074add3ae86d802bc2559ebd

    SHA512

    7dc0ac0b26d7e020519e594bb0b313976ea394510f2ba407253cce5aab786877e32273947f96c2794f53b4f7f6e34068489804226b5a6dda83534906be77f68d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    89b4850c6546ee34d9b92a669951c5aa

    SHA1

    91a94175ab3baff5e8be5611b6c8381035c0ad74

    SHA256

    f5134540c024542e32d8af7ab594a3a455d1ae9c72134860cfd075a1e94cf1eb

    SHA512

    4a1e21a97cfef57272a8427a0f4acd271424927a8de962cdb71425bc68c5c55515822e304d57e18963cbf767cc2cc0630517279f32189800b672c6d6f5751778

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    b0fee6ca163d5c9dd460f93d2590dccd

    SHA1

    66319e74df7229c1d9948ca5e73178b14029abe4

    SHA256

    0e65b2d741e00f295de030998d8e08bc40d4388f3e591b8d28b3a7675b7464b3

    SHA512

    41971aa1cce3ced02e44a3c1036690eb5bfd647d90a1a591cf1228951a80a20148cc469828689c977f8232e41f0b8781c7ecf9963d01e26233ba1c008bc1fec2