3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7

General

Target

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
Size

4.0MB
MD5

0bc2a6be9c70c4b4a8c3a4e1c8b6fd58
SHA1

6d76ba30b6723ee6036470aea1d26d52edb3f2af
SHA256

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7
SHA512

f1eeeb2aa921ffe0b04f287c1c1e3aef4b59a191c4239629f3d32ad9917f29e72d99f9e78962536f65f8ef8c40bb663a8fc41758003816a0ea3d400bdb5f92b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

Executes dropped EXE 2 IoCs

Processes:

ecaopti.exedevbodloc.exe

pid process

2780 ecaopti.exe
2548 devbodloc.exe

pid	process
2780	ecaopti.exe
2548	devbodloc.exe

Loads dropped DLL 2 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

pid	process
2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ1\\devbodloc.exe"	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\optixec.exe"	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exeecaopti.exedevbodloc.exe

pid	process
2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe
2780	ecaopti.exe
2548	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe

description	pid	process	target process
PID 2156 wrote to memory of 2780	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecaopti.exe
PID 2156 wrote to memory of 2780	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecaopti.exe
PID 2156 wrote to memory of 2780	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecaopti.exe
PID 2156 wrote to memory of 2780	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	ecaopti.exe
PID 2156 wrote to memory of 2548	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	devbodloc.exe
PID 2156 wrote to memory of 2548	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	devbodloc.exe
PID 2156 wrote to memory of 2548	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	devbodloc.exe
PID 2156 wrote to memory of 2548	2156	3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe	devbodloc.exe

C:\Users\Admin\AppData\Local\Temp\3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe
"C:\Users\Admin\AppData\Local\Temp\3b409decd09409a083ebf29e2f5bc8b57b2899ef7eadaa4fdc689cc5d341d3a7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\IntelprocZ1\devbodloc.exe
C:\IntelprocZ1\devbodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZ1\devbodloc.exe
Filesize
4.0MB

MD5
819fbf32902949b5079dc2d71e64f78a

SHA1
5e672158f9dbeb02596918231a9ff02ec660e584

SHA256
45e93ed4e4f7e0f0b819b43917431bd931f47667ba6b62bbb082fdc29ae414d9

SHA512
b26e9baf7df4814bdda8dd671899264a55452d46b9f92481dde3e9d8bd6f388dde096e0a640d70306b39ecdc4dfad81b6277e114e23ec9e9f5aa01fbb3c039eb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
173B

MD5
7331ed14ebf91bcce77702a7a0656c61

SHA1
00b78ac53311472296a435090e79d3cc8cf0170a

SHA256
84969b25d8b9a1650d631808d8ed8909400b894c2760f2df2a9ac7cc0c73c614

SHA512
56a7e4b2526b72432b3cbed265996f55b81796e91c40b7cf915127693270204735357a959b31e58a5ade132037be441dae93445815dd0f9aca9e9aedf5d09b6a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
205B

MD5
e49d5e39a8471fdc7b2e6e70c138b203

SHA1
2917e20d024db03f2a63db8d24194e67ba2acc67

SHA256
9b9e5971aa3fce0f38f444e1d9704442ac1e98eb10e828a56badbf8b584aeb89

SHA512
225f3ab38a30fda56e32740c3ad009a9681adf48aeaec38b95fb52b9474a74f1cabc6d7d5e58b2b247627b0d2b5706c7fb153880182ee41bdccb62b3154ff110

Download Submit
C:\Vid9U\optixec.exe
Filesize
1024KB

MD5
90ae4fede7abc64a0f6047848c4df1ed

SHA1
7d2c7ba2bad34d678099158587218c05d33d67a6

SHA256
41632a9068f4384ad13766464bc2bb3a2e48d779857fa7bbd7fde485473c7a35

SHA512
91595e3923179f9a9f869368413314be202c147352239d379c0c5cb1fbb9f070bfefbc1d4def79c74c8d4aaf1a11f31c6206ef87d200340b874d7fa7afdc93ec

Download Submit
C:\Vid9U\optixec.exe
Filesize
4.0MB

MD5
1e1c2ebc53a8edfd94421afe3d5665cf

SHA1
8b57ab755aeb44b265321f17fd632fb1d7a56c29

SHA256
7fa8140fd63e73553b31083bf4d14a8e53e15a5458696cfed4a2a26e9d9a67a0

SHA512
fcc2a884955c657f8546e4fa9e217f41e1bfe7cc107a8708fb84623d0bae30ac1a8c2d7acd90ebefe30d8561ae4fb89e276dcf4d0079267ac9579d97872e812d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
Filesize
4.0MB

MD5
fae9190b5ba3cb913e36f28ff2ce204f

SHA1
14da075a7a8643e6e09241744b95b2cbd36ab91b

SHA256
07ab8381fe6bd07da48a52dd0cf13e5b79f5037466d353f05f27a9d69d278289

SHA512
61736ce9d5e1b5ad1d433890ba3ddbeea71b87b1b80a9f55b783f5fe3e6f8dbb3f864ff613046e4151d55104b3f34b0f975b594e4d8cc6f8386fbe4089e6e1c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads