Overview

overview

7

Static

static

3

3e3e5bb4d5...2N.exe

windows7-x64

7

3e3e5bb4d5...2N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

  • Size

    2.6MB

  • MD5

    f933d125440191af4707a83ee6ccb4b0

  • SHA1

    8c4cf664801f31da6669cc9f6c4956272dc6f6de

  • SHA256

    3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692

  • SHA512

    bc7eba982c70e7c1f9e3cb735f8f2e3e289353155c1d3b20a7a57cfb27b2a9fcd6c14e8c1196fbf74f284ba370ba0ea63e3f3e909276b6ad4c277075ba2c2812

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4568
    • C:\FilesCJ\xoptiloc.exe
      C:\FilesCJ\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesCJ\xoptiloc.exe
    Filesize

    578KB

    MD5

    7441b8e33672eb6a5a89cad617bfd78d

    SHA1

    cbf12e66ed6c48b84ab96277421f84a199c5e223

    SHA256

    c99d80a01d527cecf5e9a01a70725bbb112f80898be59eaf6e2ff3f53c71b767

    SHA512

    f944b381faca2f453cef53663fe34587a8bbbedadb2c0f2523e09b20ce4632f745a1eecbd58fec732e3f4e4c2f4382edc7070f1d884d98db3967edb4683fedff

    Download Submit

  • C:\FilesCJ\xoptiloc.exe
    Filesize

    2.6MB

    MD5

    6757a050b72c4a224a2ffc3d8bc34eda

    SHA1

    a3d81c5475da0cea7c9287e0d76d8121adc9687e

    SHA256

    c0933291438f500eaf92244a3b6e2fda077d33162db20394fad62e8f0ac7efbd

    SHA512

    48c80c558a33f3935fab5e6ac6af0a9b3da2f15294a1ea383b03602a93b3c268da6d6e3da8e97c7d2b67c4a53cef8767180a4e5cccb394a9271dd47dcf237a9f

    Download Submit

  • C:\MintUD\optiaec.exe
    Filesize

    731KB

    MD5

    524be780ba6434aa232446f10cdde1c1

    SHA1

    0a4fbb713a3a64e5e0adbaa9ce3176e7944c752a

    SHA256

    c25e69e4f9a462519199c634d3f7d49f59cb6d5c3b20b2d75d6c136ff6c460d6

    SHA512

    ebb92c77ede99829a274ad1a84b374f3cff497fc9a2ce32e924f4580aa385a3ebd6ddd523f1af89fa584f2424a0ae6d661978f56a62292ddeeb602b5ff3b7ba1

    Download Submit

  • C:\MintUD\optiaec.exe
    Filesize

    2.6MB

    MD5

    d935826abcea169babc0cc4d3094534b

    SHA1

    948c3967e7997e7047c6f7e3624863ae82877f5c

    SHA256

    02ba4a63ebf83c29371dfaa44e83b7c4bf27adb221d900fe12bf9b16c939e316

    SHA512

    956d4e20ac7159b498129782de645882cd19777e8995db075b9d712f7db7358604e0090fb8db302a6f36bb213e727a2dfab75fc2eb2b5268c5340069872afa95

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    200B

    MD5

    8f1748ff3cae61593467212356bc1610

    SHA1

    a40e46831839ebc87b58e00d063103b76223b7ee

    SHA256

    7d8997ddb4a0b3e44d24217d4d5cd6df092fc6401b4169b4b3c4bba3e92daee0

    SHA512

    f026183f303d29f7b45993c9a9167f8ca7349e21197bbedefd0cc913517c2cdc1cc90298698f89865970114dc37d14b5b92408505c4ad5d3c7e1308664433c5d

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    168B

    MD5

    63db966d4e80a7e95d88748185d0e591

    SHA1

    f081de391d73530187ca2c59dd9cdca7cae9d2b8

    SHA256

    9b7b5f1fc32ad998d4c8a02638e1b1c2bf8244167cabb0cedddb540f60d02fe5

    SHA512

    5b7950c410d76c11c90c9752d77732f80b30e2616caf55b8fd1a56ecef33b1524e3aa9db7e04d16f2551568b63ab1bb63dcc97f99c6e7c5da6aed9c485d6affb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
    Filesize

    2.6MB

    MD5

    a06e06d772dab8f7e481ca9e92f8c982

    SHA1

    82a87804240b864af041ba4c3efafd9561c46315

    SHA256

    4ad3ae997de57ef14ecbd1ada6b7bfaec68ee5c8f5bc3f8b6f20f0a1190ba2fe

    SHA512

    dfeb7b81a249e9851b7651a9e82e0c2232a0d291d5e83afc5c9dad513e9c74bc0b464ff8f0859cfaf895346ad9a6f1ac298c76121f46e20425171f6cd0baf145

    Download Submit