8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1

General

Target

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
Size

4.0MB
MD5

4ba714688c93c8d3f0adfcd0eb7fcd1b
SHA1

2e88c41f8d27b1eefed07d2eb3c38a142a2a0d12
SHA256

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1
SHA512

901b6d1611aa2b5d3c265f4da63e4c371c854c9117822bec386488a45fdea9ec7179d5ecf8933ea2bcc29fb3caef3a96bc660801987cbd3db3b476e1bf6dc2d0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

Executes dropped EXE 2 IoCs

Processes:

ecabod.exexoptisys.exe

pid process

4412 ecabod.exe
4876 xoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4412	ecabod.exe
4876	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHN\\xoptisys.exe"	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEL\\optiaec.exe"	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exeecabod.exexoptisys.exe

pid	process
544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe
4412	ecabod.exe
4412	ecabod.exe
4876	xoptisys.exe
4876	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	pid	process	target process
PID 544 wrote to memory of 4412	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	ecabod.exe
PID 544 wrote to memory of 4412	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	ecabod.exe
PID 544 wrote to memory of 4412	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	ecabod.exe
PID 544 wrote to memory of 4876	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	xoptisys.exe
PID 544 wrote to memory of 4876	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	xoptisys.exe
PID 544 wrote to memory of 4876	544	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	xoptisys.exe

C:\Users\Admin\AppData\Local\Temp\8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
"C:\Users\Admin\AppData\Local\Temp\8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\FilesHN\xoptisys.exe
C:\FilesHN\xoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesHN\xoptisys.exe

Filesize
4.0MB

MD5
8f0e9e907cf1db60b80a148960a032f8

SHA1
04744b81ff8850baefa2cd2f9efac3f343dd9c95

SHA256
ee9f83726ed17a7cd12a4d60d4faac17e5e9ecb965ec1031985e1de881b2e880

SHA512
e692df5abe22bc6341ac5ed6db6c6c88004a24cd764daa64a31ea6960baa88e82fa2361311b49cfdc4e7a29c3b65edfabb098d05f46ebdf089582aefcd6dc7d0

Download Submit
C:\GalaxEL\optiaec.exe

Filesize
606KB

MD5
e71c3858114a43786ad7ad11b691a5b1

SHA1
b5977de4b7d69be57474bf4aaf8e19f532e879f9

SHA256
803e2421626ba34f7441af2230aae4d25d509ce1eda553817310fb28adb423d3

SHA512
6c6e36d0c179fbb2165c7d01dfbd8f6c9f0a5743d2abcb67c1769b4c95aea1b8c7213853ad74b1ca395a5369dabc048a11ef53bc1d9da96129a8d9dfc017f35f

Download Submit
C:\GalaxEL\optiaec.exe

Filesize
805KB

MD5
3278b4535a3c10b584431657e7398670

SHA1
52e9b4ac62a2c4c2b0fae858979bd91317e7547f

SHA256
bb4761580b83f82ef3aef91ef0bb694423a4af9f051d69ebce9f703cee3fbb66

SHA512
9aa087046426ff7c34f1324fffb1f10482ae4ddde5124ab0a62ae984aabad2a281148d78e12a756b7b872635a4c34f7832c14d720efab316c03badc3029370e5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d522dfcb382a70590855063138450387

SHA1
784de0af540ccc4d61e37eeb58a3665d28338255

SHA256
b3b6612114bb333804de5967dff8fee965fe903fb3ef894120eddaf8b0528a98

SHA512
38ec5ef243508badfb63c9f9b1e15999ca9940224db68fc531c32a87de8cd7785f262acd457e6e6ace5848763a8f3d5a30a279fd564828f8cad40c87b4bba683

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6a217c63933f52a90dda14882eaa362e

SHA1
bf7b3623d5a36e206f7ab518cdb2bd5577f71127

SHA256
23521404bf653fa14ffb9b3a36aa02369a4d2f9a2a02cc508e8dc664823177c7

SHA512
40f41b13b33b315243d3531491a258261941c7718cb44c2cd7589666db426881dba81934bb52d520faa1a6e333aed24fda42bb1bc26ed907181f56a49b1a755c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.0MB

MD5
7287ed33e3582a02d268d30c635e6cd2

SHA1
e691980b75096747bd7a9fe9c2d09eb2c1ed1af7

SHA256
d2b2788bedb454ff97cc6c31fc9ee21b01655e8ea6032c85086a49d26b7d9af1

SHA512
8480669e8cb38c9ce482933c35bf7c76105d5f9fac1a9c32380957b22e049d66ffae3d53ec5dfde4d7baf850e12d75a86461badf45fe72b58f0b34450958f342

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads