5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
Size

3.2MB
MD5

5314b8a97419c02d744f072a9edb524d
SHA1

4e1435d34ada0e3270a4072c088f2bcc5da256d1
SHA256

5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28
SHA512

4b8106833ea43f46e65b0a2bb22bc98a0a44dee9db06e8e31a0281b32b9fdd80291fca55c391f8e8351ffe9d36b86f9cbc21d26482fbef512ee0906d2a65f4b9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	ecaopti.exe
2556	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files70\\xdobec.exe"	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3P\\optiaec.exe"	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe
2144	ecaopti.exe
2556	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2144	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	28
PID 1720 wrote to memory of 2144	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	28
PID 1720 wrote to memory of 2144	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	28
PID 1720 wrote to memory of 2144	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	28
PID 1720 wrote to memory of 2556	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	29
PID 1720 wrote to memory of 2556	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	29
PID 1720 wrote to memory of 2556	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	29
PID 1720 wrote to memory of 2556	1720	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	29

C:\Users\Admin\AppData\Local\Temp\5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
"C:\Users\Admin\AppData\Local\Temp\5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Files70\xdobec.exe
  C:\Files70\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files70\xdobec.exe

Filesize
3.2MB

MD5
36a21fa89f44c3094d38891e1c6f8991

SHA1
c6499fcaa531262b92f3cdae7244257a63eb7c77

SHA256
a23b8869f328967d536ce9f8e1b5873cd7ef7d973ce8f987586072c6ffbef162

SHA512
6076ce41edf6a7b511b39736fe78994ec2bee2cf8c5d51c4abd76cfad48d5249090344a2cc9e52394caedefe2336b13b403b8f830c4abc81e76a7593d0b2b1e7

Download Submit
C:\LabZ3P\optiaec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\LabZ3P\optiaec.exe

Filesize
474KB

MD5
df048d9db6aa48b9879f99e6fb4f1552

SHA1
17967ffc43b2f69045161954fb7ca18ae0395aad

SHA256
53b420d22ea9f01a959086ff33ec23ab676e226e636443b7515b24846cb56c79

SHA512
60780e36aba568abb3f2464402ac102e46ae4b1052207bd7693f8a646f9d6cf7c298135268d3a352800c0fee0d0287eabed6962fe3a8752238afe058c806f761

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
80d62c58a6a57930d3fd0aeb89675167

SHA1
70f29673260f11628320dc38dbf7e3c9c009d4ab

SHA256
011523af2aac817de865c009d3f29b4fe62379599106df7d00af1d7ceb1e6b04

SHA512
51c04598025b0cffeee14a144ec3147fb3830bc708811548309e6277ac27058615936f197de7ab639c6567694b4e793393c51a342ff52e1952b174fc32ebc268

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
53ab7d989c0049c7ea9e55573f2bfefe

SHA1
ec5aaa8512f22a309f1e4dd4bcf34b4401dc131e

SHA256
d5fc169d757f659bb89b26f8cd360912714ee7f45ef95cbceeef7dcd41de0e10

SHA512
f2d03628bdd3d4b28b8b91704c3c78d3b4a34fa3bf60bdc0f4322648f5fd5c77898b73bf5a77ec08e554776c0fade1e020e96020915633c7fc206df2b177e09e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.2MB

MD5
1263f3dfa516d70e62b48ab974b1d0e6

SHA1
b69654e854f4f6b4da8c5a2d7fd00896b805588e

SHA256
46c348a63e45f7e6257ae862cdb0543afc3616c06a1c98d0773f57adbfd68a03

SHA512
e48097668f46deaa3b69265ff4e652efdd4da965569cc2983fef9fee70be5ad02bc7deb6393ceea9272dfe6dbbbb84f099119de22fb75f5c680201a5029db08b

Download Submit