d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
Size

3.6MB
MD5

29d788614176c36167d75bc7d2cddc46
SHA1

b74df108a16ee27f9f59f2c9c2b0186ff0341b15
SHA256

d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a
SHA512

7fb350077c5e6951c6e38785616851c49e3f9e6b1bedd0b36d8dabeabfa0165f12893a7ffd8e7e83c1814968ee3b3ecd0e0de2c546a8bb153f0aeee78438c7f9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8:sxX7QnxrloE5dpUp4bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	ecaopti.exe
1572	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1Z\\xbodloc.exe"	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6U\\bodxec.exe"	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe
2080	ecaopti.exe
2080	ecaopti.exe
1572	xbodloc.exe
1572	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2080	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	93
PID 4512 wrote to memory of 2080	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	93
PID 4512 wrote to memory of 2080	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	93
PID 4512 wrote to memory of 1572	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	94
PID 4512 wrote to memory of 1572	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	94
PID 4512 wrote to memory of 1572	4512	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	94

C:\Users\Admin\AppData\Local\Temp\d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
"C:\Users\Admin\AppData\Local\Temp\d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Adobe1Z\xbodloc.exe
  C:\Adobe1Z\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1Z\xbodloc.exe

Filesize
3.6MB

MD5
e0d78042a594667a80c6d4e86b67796c

SHA1
f806e7b32180442019b82131094d8bd862a487d0

SHA256
d6c9fd9658a92cf725e2970c910c10f29bb9cd89ab4ead92097cf2f5dee54143

SHA512
1b73fc67ceec7135b726b0fc464a8123f7cff9249a982b3effdaf94d4437173b713729b7620153946bfcca14d97a4fce470534ee27316092d411a4ba8508691c

Download Submit
C:\Adobe1Z\xbodloc.exe

Filesize
3.5MB

MD5
c35b756f460df011a94a2b54bd6649ef

SHA1
b9cfda5674b46f7b2e27d9c3fa17478938488eb4

SHA256
f0aada14333ced1db07d6b505856b11fbfae686983e5a2ebd113bf5410f13486

SHA512
61937b5e9920c22dc3c9c6f324a71d6a321d88f9954db18307b92b07f84a7749408b8ed194b82235a98ed3e2306ef1f11bbebec293b5d95b3e9ac7cc93e0faed

Download Submit
C:\LabZ6U\bodxec.exe

Filesize
1.8MB

MD5
40e3bebbad95557acfdd7395a9d391d3

SHA1
44f9facd5be6623f125587c4f3c4b1ba964ae6c6

SHA256
3d20322dd3391e5f56581064070537883f415b2ea070ffbb1043e87e0817dd44

SHA512
70c31c6d6e443f24a7138e891fdec891d0614fc685b28662e4b59d49dcc7630cd33c4c7049c19ce8cc39b97aafe0afad67c7a55d534292064760172356bd3659

Download Submit
C:\LabZ6U\bodxec.exe

Filesize
3.6MB

MD5
74dc2e6a413bed235ba0bd8b5d760e60

SHA1
6f76a3950503c67fcbf597a5e830176957638060

SHA256
bbca48d0c757468907fa518ea45995963532adc7961b665d15e6409b3c01d26c

SHA512
27f9b48ef67de939e67f0d1c58f544a6243420194fd1d7fb46d00186550fac10af07bcbb64126c0d7d5b6665bcb3e58d803cd800bfb9a8ea9c8a79d09977d232

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
b92601ca795c712c64112a5596354384

SHA1
4b22f889c4c9decd716cb56c8a6ca0b7c236dc56

SHA256
3d9bee3f29e4859230c9306dd4c455b10b841e733625e969d1788a6a44d55725

SHA512
55bd98b50ee1d36994313eab9739924c00e42501a757390f1217f7fa1480d3d8119a8d23bac4b2709eed4fda30763eba6f78a0fe2c1ad2c04d608382d1f44c40

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
4640a58315219fb9c2a5b602f1cd8285

SHA1
95965472566a37ded0736e0325b35d05d43155b1

SHA256
83e29b6188e1bd7fe4d5d8c430bdd511f8ebd64b65c23ae7fe208550f8c1de7e

SHA512
c79b56a0910acd262936909de38dfe1c6c331347f28d760c6c61157b4aefd9750938a199ac4559fcd29ff04f142983937c169981a855ad02051306196b311a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.6MB

MD5
4dc42c7fbf0c59e459672c081d25b421

SHA1
bcc373792230c1a8518090b6cbbeedfc8e5bde91

SHA256
f263726fa31c313ced5583bc12ecace70696cd6ff6326f96d3a4a9dfb9f44a62

SHA512
84e16b1559e6176968f2f4180426eed1f01ea3fbf22f8f0056e9bf03a6fd2311a3c528fc0ec9e3fd28f6dc6cf147b2a46d2f8de516d7b8b92988dd8f1ae07370

Download Submit