097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5

General

Target

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Size

3.6MB
MD5

4f86b6f135c82a8aec3bfad4551c9b93
SHA1

a1b9f711fd8309a2755ddaaaa4f832d5d5d534d1
SHA256

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5
SHA512

0cc7fed23d743c903f1b0c7312e82e4c6fd5795cafb01b7ea520b21503099bec747f8ca5540e12453bf0692d88b60ee6696c060e3870752737ec63ee09dcd275
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8:sxX7QnxrloE5dpUpzbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

Executes dropped EXE 2 IoCs

Processes:

ecaopti.exedevbodsys.exe

pid process

2036 ecaopti.exe
4604 devbodsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2036	ecaopti.exe
4604	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files83\\devbodsys.exe"	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUI\\optixec.exe"	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exeecaopti.exedevbodsys.exe

pid	process
4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe
2036	ecaopti.exe
2036	ecaopti.exe
4604	devbodsys.exe
4604	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe

description	pid	process	target process
PID 4500 wrote to memory of 2036	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	ecaopti.exe
PID 4500 wrote to memory of 2036	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	ecaopti.exe
PID 4500 wrote to memory of 2036	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	ecaopti.exe
PID 4500 wrote to memory of 4604	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	devbodsys.exe
PID 4500 wrote to memory of 4604	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	devbodsys.exe
PID 4500 wrote to memory of 4604	4500	097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe	devbodsys.exe

C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe
"C:\Users\Admin\AppData\Local\Temp\097718f7ff2320b18a2edc099abef72110d26c27a66e180c9c6d581c43e5dbd5.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Files83\devbodsys.exe
C:\Files83\devbodsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files83\devbodsys.exe
Filesize
3.6MB

MD5
21c05e0d1d6dd49dc355f7a4895df679

SHA1
554da62dde5b0d974598c557adf93b9b7e74ea08

SHA256
bbfaf4ccad44887dd762b51595437cea738219c0de06470dcbebec1b3eb7f730

SHA512
36a388facd8f406d315f45ac4c69650ea0ac8e5a0d07342805621c7105437878d33b4aff316ddfa717a8a9e26d54c280d7033e5655df6d04bed889388d97b8b1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
201B

MD5
dca28efa113a24f7f4ed4ce3f8567232

SHA1
faa07e458414606be8245689d6ee9f4ab885b836

SHA256
e964641ae417ec60176c498bd606c054b8367d15b27f6b18f7b96da5aef89c01

SHA512
1500e506e5a6b48eb38d757ef01626a7feac57f83219366d83b33d36bc9f055ae8e11f7f7a96ecb72072841f80a53235a3f4adf2f43230469acccb41f2d2a633

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
169B

MD5
8327417e152d7c9e811138ce231a4236

SHA1
891247af9dfcab815e5163be08ab985ba5dcc4ee

SHA256
3415e04667af484fa21dca7ff019943b6369fd55b291467bd0ff3c5c5e53ad54

SHA512
07873a7df6a7ca6450b7c6d733ea0329e9bc1afb7c574655f6c319958b16fbc8d85867ea2ed66e5f30c2bb5406799e939af7f849f645244fd83a3d80818c7d59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
Filesize
3.6MB

MD5
aa1c521a45ec3708fd42364e1de0af1c

SHA1
1a359092e220dd2f0e514d688156b92f459796b4

SHA256
5638fb7f6e9c492d542422b7fccec92e70698ed6a608e97e0cf06e84db946d66

SHA512
bb93a74de1eec1d305e4f882fcc5a76e67c4a7adda4b466b91f8691a8510edc3400279017bc8408b2205763789735d351222255cdabb24afd7649b9792a3eece

Download Submit
C:\VidUI\optixec.exe
Filesize
3.6MB

MD5
115ac809d6fc3dc488708cca21e1cce6

SHA1
4cdae8e72cdfc1102463263d2341546ba928b26d

SHA256
b4fba2a9f2557fddaaa570e359bb2678b2f272981405e907b466b1392294a6d4

SHA512
b159977a4cd9ed9550be4e0cef27949ef7ac5b72e271d937dff825f1f81f2089d3c8fe39e27f02f3c80a5cb056d01b55f1db1edb8dd13eb793f13205c9320e9a

Download Submit
C:\VidUI\optixec.exe
Filesize
399KB

MD5
aff76bc9fe221a55306f6b45b1f49c7a

SHA1
4233b789c2ecffe08ef069b31f1f6f78d6a429a9

SHA256
16c82812ba231d655e615dcef340ca39b16f0cebfa4fe0584ca8c8945ca50f3b

SHA512
17961a0288d61c9a53d98051b1bf34d91b7e2f9b728dd2428db2408ab7c1839a859187fc0ad7444e08c2d2a34412424d7daf96ae65188efb8b128dfb821374dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads