1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c

General

Target

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
Size

3.1MB
MD5

4e2eca96bd7f62ff40a2a7bf28eea5a0
SHA1

30d149e7a9be2bcaa63983ce11268c4c87801ef7
SHA256

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c
SHA512

04baaf8b4b0aea4c37e55c3c6e23f56729fe409bb1ad5c9f9efc135a052c08abd0b39649802c07cee41e2c60ed56dfa1efa92d1405f274ab7ecf7ddc06f282f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp2bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe

Executes dropped EXE 2 IoCs

Processes:

ecdevbod.exexoptiloc.exe

pid process

1180 ecdevbod.exe
3328 xoptiloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1180	ecdevbod.exe
3328	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLT\\xoptiloc.exe"	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2H\\dobxec.exe"	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exeecdevbod.exexoptiloc.exe

pid	process
1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe
1180	ecdevbod.exe
1180	ecdevbod.exe
3328	xoptiloc.exe
3328	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe

description	pid	process	target process
PID 1588 wrote to memory of 1180	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	ecdevbod.exe
PID 1588 wrote to memory of 1180	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	ecdevbod.exe
PID 1588 wrote to memory of 1180	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	ecdevbod.exe
PID 1588 wrote to memory of 3328	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	xoptiloc.exe
PID 1588 wrote to memory of 3328	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	xoptiloc.exe
PID 1588 wrote to memory of 3328	1588	1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe	xoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe
"C:\Users\Admin\AppData\Local\Temp\1385eaed88424279c39847083aa132bd4192c86a7fec673681fbc1e9675bdc9c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\FilesLT\xoptiloc.exe
C:\FilesLT\xoptiloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLT\xoptiloc.exe
Filesize
3.1MB

MD5
490a330199f3c6a9ac5dfd9ee8760242

SHA1
516fd3922c3183b70019c07ea56695a49cd6394f

SHA256
90edfe9ed4dff055ecd1327668ac1ab8344d5e4b114f17328d31b6f96ea90f91

SHA512
6e3f3756d52cf7a717da8361bff6fb7ea6ef8ddd59500c4a6ac0f226c2ccfe13f2c0c3195411ed9fd33e27d07026ebd4ff2b44ba8392c030e11f033eba363fe6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
200B

MD5
69eb9163803656414833deee6e650c7b

SHA1
890f0a4fa4ea8df113ac5eafe25dfb3f470b6a51

SHA256
f6bb1ea2b7e5fa25e045bac820e10b4f01dab5ddcdb8c6b6ec000718d0d62b6e

SHA512
fa584b844e1f5a43468b5dc63d397f32e2644138032c84d8665561069e458b9baf3c30548cf75f3cb6581bd1fcbfbbb208254e5b6d91ef0d7f149abfb70ec866

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
168B

MD5
3f272ab3bb7bd082158767cbc135d0e2

SHA1
5caebcce6d245d9591c8ff9a7c07b9694ef63962

SHA256
c684ce6536ecc222d0cdfa9c8956152472cd59f2996f67408f0ff224bf0db6d5

SHA512
8b51658f402f0a46f47fd4dd311ad3fa1f9fa8a6f6692d2da7b223a8624e81dc658d6a5fd2b7bb887a43fa8f0369b77cdb7e97f87a94239a6cc31c0f21eb10ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
Filesize
3.1MB

MD5
54c3275c738e8c9925dd94b9ceeaecaf

SHA1
6918f31cd9fdb413bc6447dcc2d63a088f030912

SHA256
7c38635bc6114fbd37c7d59e534c18cfa2b23861613fb0560903514fc31d63e3

SHA512
9e52a178f88e97160cd92a9ddc52133e8936f1c7eeb3e15f2a8be98c87a5d5d9930caba823f4ccf77a2afdf48c1801e5598bcd153bb03e020f2012933bd6e3de

Download Submit
C:\Vid2H\dobxec.exe
Filesize
402KB

MD5
dc9a84c8d10a7d591a922c0b7c9ed2c6

SHA1
a2f84382a97c11f7c49acef4209bc394dff59d17

SHA256
2655ebb194109e4705e3526f5a9c937791cce884ec11e45cd2329f3769238e63

SHA512
b3a6e4193a4c49c5cc2191c83d0fd91cb57d2978dda2f21f3ab83b7f2a59219226b0465b9779106ecd735f9a238f475ce3f9d623b9d19bffe9599b223d95572b

Download Submit
C:\Vid2H\dobxec.exe
Filesize
74KB

MD5
89bb8b217ee1d3d6c87923bc28c38f40

SHA1
d2b93599d69bc41d5e8048d900a0525811951da7

SHA256
c4f3d04b9838e1ac4abe3817c0d95ab04c0431251e57533f950c83d512cbeb59

SHA512
25ea5f38eb23079723f32932ffb77cf1438a1a90c77d899fbce2ebee99b2fa61a43d53fb8fd23f7966fbfa6aead8ee2c037b65f867ca0bd6f8dddeac75299cad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads