d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05

General

Target

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
Size

2.6MB
MD5

0db808db5acf774f3e0253190abaec15
SHA1

1c6ff4855bae0e09031680a0ed9f5fe13aa92de1
SHA256

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05
SHA512

5f0256ee1ce75d1a33f9dd13b038d24450f37e31c365b1d392b866106658faa1fa2f9e39f04a6b0659a7a84ad428ffecd81e1436dae149c19d79abbe10993c08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

Executes dropped EXE 2 IoCs

Processes:

ecdevopti.exexoptiloc.exe

pid process

2856 ecdevopti.exe
100 xoptiloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2856	ecdevopti.exe
100	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJX\\xoptiloc.exe"	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJB\\dobaloc.exe"	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exeecdevopti.exexoptiloc.exe

pid	process
2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe
2856	ecdevopti.exe
2856	ecdevopti.exe
100	xoptiloc.exe
100	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	pid	process	target process
PID 2256 wrote to memory of 2856	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	ecdevopti.exe
PID 2256 wrote to memory of 2856	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	ecdevopti.exe
PID 2256 wrote to memory of 2856	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	ecdevopti.exe
PID 2256 wrote to memory of 100	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xoptiloc.exe
PID 2256 wrote to memory of 100	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xoptiloc.exe
PID 2256 wrote to memory of 100	2256	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
"C:\Users\Admin\AppData\Local\Temp\d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\FilesJX\xoptiloc.exe
C:\FilesJX\xoptiloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJX\xoptiloc.exe
Filesize
2.6MB

MD5
baaf357d8903307b222d2286122a6dce

SHA1
73974cd9093d034482dd5716734eda92af09c60b

SHA256
0f19a704b19536bf82dc8d2084080ee929cd08fa92d1fdf6ef807cc688544c53

SHA512
77002e504f1420e6c4ddc76abc5f67e9a55a0f5b587414e2af013aea7d543c330743abea849bb8c5cce5ca11933cce3a45c9fe22a776720dae67f24f016802bb

Download Submit
C:\LabZJB\dobaloc.exe
Filesize
2.6MB

MD5
1606bad0fb8735b3e7bbbaeedabdef8c

SHA1
00d4f7c00f8c09e2cc86cffab828e7c25078d6f6

SHA256
4b1cd7f23ef6a1871a9f1f2ac2cbb1f64609d55fecddeb3a90f53d71b360118f

SHA512
c31b3e31377ee51ed4f6e9ce1d78271607bc6229a07d3ac61796a898288ff87367ae9f7b15a884e936695fbe820db676e6cbf79be1b87a5253182f3adfad4bc1

Download Submit
C:\LabZJB\dobaloc.exe
Filesize
2.6MB

MD5
7b435ea526edae5dbe3f7b32302ccfc2

SHA1
cb70cf26847afe1d43965968c37afb1b89d6e4bb

SHA256
a7bfd83368bf3af4944cc5361034c1bc2cae3dc8f8e6190da4448992063bd318

SHA512
18de19a8bbcbffbf5834ca03b69437f2177cd4ad48c532e0b5bae75399f4664bf58dd2ad32b7b2508889037ddeb798638c7556cb89dd3469d76370bd10b4e944

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
203B

MD5
362d2515187ba3f14a8dd29779594034

SHA1
fad32a316a4c092cb39bc87d398ade2f5b0ea59b

SHA256
ae99103681a89d04cf1f38a07554eb952c81bd92369429a8d59073e107a60b24

SHA512
40633b0737e9be57a2284756bee0cbc49f869f83e427fedb83d316d5a3389467f46a16788e18430c8fcc844108f9d915393f8cafe419da546045606c87469e44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
171B

MD5
6bd983e1f18e0a6ed6d3c7f00ca36016

SHA1
e8a163110f140cfb1b58c06a0166e7e9d47e37bd

SHA256
e1cdce6943c714eaf513e4154d2dd9aa0c2e57fbf5c16471178fa76222918acb

SHA512
c73eea4d82943f1e03870fce7987d8d0c74a81a9cbe5846c3bbf6f3acf93be1f9c35c5f2cea077b279375f4e12507e9e750f0b266e354469ecab0dc5db0f3362

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
Filesize
2.6MB

MD5
8fd1bcae84fa0e01d7c67b3d113c9f42

SHA1
b7e1e0eaed0488a607e1ff8caffb9a728b255d8a

SHA256
93787505571613c79592d218fb4990cabaf3dadf0de202abe70e639722269de2

SHA512
b996784a8006b8b46620aa9b0a5ae58e734c3a85f27693a865452f929528840d0d14298d8198ad5a5a8fc25d09986438d0d55e848b99a69af6e726f1650aade5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads