Overview

overview

7

Static

static

3

e8b3f4dddc...f8.exe

windows7-x64

7

e8b3f4dddc...f8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

  • Size

    2.6MB

  • MD5

    04d00238e2600955040c93db00a46adb

  • SHA1

    f4335ddedf234a652e8cab234384e622da9d7cd7

  • SHA256

    e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8

  • SHA512

    a0b5dd9557e893163c4e0aab89be92a33479db4333356bc54a2070bb69bdd0f3e8e61f3dbf3d2ab2513b610f815c2d4851101b42ba9fc547c26717e86b0e0325

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqP:sxX7QnxrloE5dpUp7bVP

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
    "C:\Users\Admin\AppData\Local\Temp\e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1176
    • C:\SysDrvCC\devoptiec.exe
      C:\SysDrvCC\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint8L\bodaec.exe
    Filesize

    2.6MB

    MD5

    822770034a28a812e8a1b105f734f8b9

    SHA1

    b8cdc0cbb7bb4e7ca2d35ae01ff7bcaa53a4821b

    SHA256

    710962217f39da4fbff83f13c3a5ea0e1571297e266a3cd1a8f5dcf17ccd87c2

    SHA512

    b7609c51c1c5b5b0d6eab5fd0fe6c02d9a6d454a9dde8131477102c2578cc5c08053de2f4ce696d87c85a9b1819c3f22c8cc5868f151a2201cd5cb6b84378505

    Download Submit

  • C:\Mint8L\bodaec.exe
    Filesize

    510KB

    MD5

    1b98169e9b1a1f77d96aa1f60f5e8d36

    SHA1

    bafe1d3a9925ff5aa296d04dd848db6ea4bf4c61

    SHA256

    2884baa93e3e428c4d20c55d6cb143b3655b0d4eb6be0ad452e25d603883ceb1

    SHA512

    e3a2fd09167b5e09b150a75586b590b5c59e5702e8cb1692ebbb497751563502122d8fa2f0870fc78960ef47982003094a9c92e6e2a18b89793f93664b0e59a1

    Download Submit

  • C:\SysDrvCC\devoptiec.exe
    Filesize

    2.6MB

    MD5

    493943c2e0f212a3db50e75dd7561918

    SHA1

    b23244e05f26372559264a3ee916ca6ee2cf000c

    SHA256

    81d4c3489703f5363db1f4895f47d7e5377a2444d46f6df28c96be957bf8d6f8

    SHA512

    347ad720e750fcffa0a27be09f91792f036ac3170f6398a07a0d002bac4a692565b429efd1cf54ba7892638b2c81e9f395fb51bb2b57b79f6ee06e2a4e4c84dd

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    202B

    MD5

    dc24b351410250c47bcb245238db2ef2

    SHA1

    f474dce5b47194129661349b52134dbbc65dd54b

    SHA256

    b3e7c2d9e8065b21b9100f16112dda24b9f96332ed83c8d3381c2f3251d70687

    SHA512

    e4b35f2d060e32f3324b6b9c1fa24bbc78723a2f532d86085cdf1fc458764e0ebd47120c21805a6213888266fef300962636947529f4ea0e1bdcb22501b5926b

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    170B

    MD5

    f4743ed69c2610d628f1c65972f5fd75

    SHA1

    c1c0f7643090432642a45994fca7b34b1f538cde

    SHA256

    af41e46e4ec8b48c51b113c0557dcae755871c3ac31936dcdb42c4db09a95d04

    SHA512

    3d86418c07d5ab01fb205e98e4fbfbeca19f1b7e0a42d6b8f83d8b8971cc2b6c0e2b5d14f4e6b0100ce1d3fa9d21c84da65086f4afe9e99dc272f8a4316b4ca1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
    Filesize

    2.6MB

    MD5

    41cde965cacc183d0c3ab46702c1f26f

    SHA1

    916f449f29da0fbf05a4d301800591e963643543

    SHA256

    d0e36934d81d89fa3cab919bc0a2dfce1e1948d0065577e34b9012cae3589687

    SHA512

    e8e204d7fd516b27fd1e41dac5ccdcfed96cafec30b577a1aa0560198c1cd56392e9034e2d7c93f1d5d2377118e057af9b988718569448ad862c6a410ac54ae2

    Download Submit