5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
Size

3.6MB
MD5

c71c91733fe800e568affb613421009f
SHA1

0cc824669220064639b6580a32d5547767f0180c
SHA256

5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b
SHA512

ec74682e9c9b45a945514a3ffb2673a5fcfff63e003c5698a17f3f65c5b7df0b6d159e32aa38d583ad463bb98fabefa3605e31725ffb4560045ec830ce828cd6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe

Executes dropped EXE 2 IoCs

pid	Process
4608	ecaopti.exe
336	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot01\\abodloc.exe"	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZC7\\dobdevloc.exe"	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe
4608	ecaopti.exe
4608	ecaopti.exe
336	abodloc.exe
336	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4608	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	85
PID 2816 wrote to memory of 4608	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	85
PID 2816 wrote to memory of 4608	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	85
PID 2816 wrote to memory of 336	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	86
PID 2816 wrote to memory of 336	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	86
PID 2816 wrote to memory of 336	2816	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	86

C:\Users\Admin\AppData\Local\Temp\5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
"C:\Users\Admin\AppData\Local\Temp\5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\UserDot01\abodloc.exe
  C:\UserDot01\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZC7\dobdevloc.exe

Filesize
188KB

MD5
4645ef5db7e0cca90ad3d43d9a89e739

SHA1
1d53f0844dc345b104becd6c6c21bdea6d42b31f

SHA256
6624b5ea23b1c3c7d06a11c1935ade5dc70131a382ff5f12aeb0daed3adbe00a

SHA512
229cf6f5c2d79b5b38e9cc5eb6f6988e1ed8a2eb16653ace755031170d658a9cafd8ab0e3fea70e3093846476a0fe59c5075a1efa2108113dd3706b8c5cda423

Download Submit
C:\LabZC7\dobdevloc.exe

Filesize
2.0MB

MD5
98daca277ec1c21b3a58472a21f72122

SHA1
276d1defe8db67687645ade3166d972e49712d46

SHA256
55606377558a375e893c16b85696bd05fcbf80bf803f425bdd09c942c1bb482c

SHA512
6c870efa69628d0f5b5c1c6f6b19e2db7975af06e5735c095a3bd4042615e846e4a55b3aab376c08ff866cea6307dfdc3803096c128a6c2649a062768133ce39

Download Submit
C:\UserDot01\abodloc.exe

Filesize
168KB

MD5
342ebf6d2c4562b4c7b803882204d775

SHA1
aedfee1960518f163fda0b10e2fdc0451a67995c

SHA256
1eda50e393b51d2acfecfda5af85d27b1096a6df2ccbd7ecad5a7d8c0d33d74a

SHA512
b844dd3d986ef3877aaedee3f1f52a3c81ccb782aad3d849b7d9666f0befc744a5b6c3340119461633a35d525892814f4a2cf8844bc8c34fb42b13b36e98ca28

Download Submit
C:\UserDot01\abodloc.exe

Filesize
3.6MB

MD5
71e06234c1fa4728f2472f9021d466b5

SHA1
a96f81d2f523b88c4fc1321b8d16a246f6cb8809

SHA256
db28221db8686c023205a73e593d3ab3d4e1324340dc5c65c1a0058f41623559

SHA512
cc00ae7682c1f7418456a13eaae432ba84cd08e0b69229022c115021f303b27faa218ed425a94a3f85a0c18b177f6158db0a63a01e81fde09916b3f111b0c0b2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
da95e23d20739f24a6362cd9ad65384e

SHA1
552d33937fc76bf1231848a1c76b1a83de1ea62b

SHA256
70907bdcf61fa671dce53ff0c8a8a1b09ec16c25d10e93caf00f1f0e8f7d8454

SHA512
9742d7cfc889ff8a386a16034c2b8d7b8b56402a7ba16e71e11b2ac988b24f66d68bcc23040c523a17acab4e81e93b15c9b8413bf1bfcbd5b2dedb724248fb11

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
f78809397435d529c92198c92e1319f6

SHA1
6d654e56ccd5a1c20822b18c1abf039b8f33a74a

SHA256
2ac4e6ddcdacf3f8e53ad364b518635fc11cd5d210b5c75a6e9cc6740a114b2c

SHA512
9c6b55484551d7214886a8a350af9397e691a2b6860b8ebfe4be5ff92474729895336dcf7cb37a9b1d2796c528bb7e7f44e5afe3014e33e2c45baad71c3997e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.6MB

MD5
46b6aacc9e225bff60538da845bf23a5

SHA1
a056b3848ab13d738b384708a5b824c8fbdb89d6

SHA256
f4934a0def3dff5ace0674b929e96308450421fcc4b64a2f6071926470bb3c0d

SHA512
ce138c7f8905c02c9f9b4bb65072641fe2ed52c9745d7f5885e31f23227667ce745a9627f1276ad1eb306c99fbe276aa922358452c70b02c34fd782311368933

Download Submit