d7f8336c93057d52fc67d703830ddb869d85f9b5d11a345b8c754f5f890d3d90

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 01:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80bbc72f43b8c5774663ea03070b1bd0.exe
Size

4.1MB
MD5

80bbc72f43b8c5774663ea03070b1bd0
SHA1

7ce1a5a6edfd7aede26f4a8ee3a889ff70f5b902
SHA256

d7f8336c93057d52fc67d703830ddb869d85f9b5d11a345b8c754f5f890d3d90
SHA512

5d18563576975897962d0094b07816ec18acb3fa8597735ca403de4edeee8136605fab3a88fa2e430ba61537aaa28a5c77ecd1267afbc8112945df5b1a34db9a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	80bbc72f43b8c5774663ea03070b1bd0.exe

Executes dropped EXE 2 IoCs

pid	Process
3440	ecaopti.exe
60	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2E\\xoptiloc.exe"	80bbc72f43b8c5774663ea03070b1bd0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidN2\\dobaloc.exe"	80bbc72f43b8c5774663ea03070b1bd0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	80bbc72f43b8c5774663ea03070b1bd0.exe
2272	80bbc72f43b8c5774663ea03070b1bd0.exe
2272	80bbc72f43b8c5774663ea03070b1bd0.exe
2272	80bbc72f43b8c5774663ea03070b1bd0.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe
3440	ecaopti.exe
3440	ecaopti.exe
60	xoptiloc.exe
60	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3440	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	89
PID 2272 wrote to memory of 3440	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	89
PID 2272 wrote to memory of 3440	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	89
PID 2272 wrote to memory of 60	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	92
PID 2272 wrote to memory of 60	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	92
PID 2272 wrote to memory of 60	2272	80bbc72f43b8c5774663ea03070b1bd0.exe	92

C:\Users\Admin\AppData\Local\Temp\80bbc72f43b8c5774663ea03070b1bd0.exe
"C:\Users\Admin\AppData\Local\Temp\80bbc72f43b8c5774663ea03070b1bd0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Intelproc2E\xoptiloc.exe
  C:\Intelproc2E\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc2E\xoptiloc.exe

Filesize
4.1MB

MD5
aece4f507e8fe31398c839a283c92c9a

SHA1
d735be1c9bcd88ff3d69b6881b1b7738e2c7e89d

SHA256
e286f6fe588869cfbff4175d6fa94dac71d56dc877056286c73129db3121e1c4

SHA512
4776be3e954670658584ef5569ea7824f97f48fdba7adcf11fe1576b4fc72f39cf99c45a93470d048204a29fdc0baeb95eef81afed71b25b82c61bfde42fafb6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
eaed9e93fe6abcf891428e743e3af892

SHA1
df351fd8fe6822a2f2daa19d0ca40ac42d1339c0

SHA256
9711310afce69b2f9877cf6a5804fb8ec27fd52bcae0864468e16f06239bbe4f

SHA512
0bfe3699813e2c2cfb4c5053c2d1462901f904715ab84e660923366a60160b33756112bd27673e60fb5ef37ec6133247552e0cf9b51cf04d2a390ba81c7c76fb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
abaa66ab21533632c8ce89818948fef2

SHA1
cbbc1088cfa856853f1b25e9f43b3a30f0618f20

SHA256
37e91fdb6f04da09aacf4861336b4fe33cb0191780387a759815f823378bf4a3

SHA512
f3fa59436f7fb4d0f30f78f63a115c00d681438bbc8179d84b1dc9cd77ec5b66e94f45f285aa659b0ccb06be1d46be59dcd403ca24664138c346961a1283543c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
4.1MB

MD5
5129b1255b6a90da0818e000c9f82868

SHA1
97b9d24ea7f8a7d8a175c22c164046f96a30331e

SHA256
24233ce146b89f5703bc38a90140d265c946fbed4249473af9773d81a3c9ceba

SHA512
2f27ee64462962c99691c7c61ecfadd8b27e571d42d40e9c91d6c91383a121d9fce7fbb306a48fa67725bfb91d6249fe790e3507a8d579cdb79811ee5b1fdf7c

Download Submit
C:\VidN2\dobaloc.exe

Filesize
4.1MB

MD5
1031052a2b75e23802debf048bcaf92f

SHA1
4bee72ec687753508a479bcd3cc3b0322b0b1016

SHA256
4d0f1b4352a6e808bca735dbda62a61612161bfa24e7e6b0f0fd809fb6cb268f

SHA512
06223408f1688ea35301fd32f7042515527e9fbd543162c3566c225fdf0e9d046ad6754a54a9fb134d70f0ace1c9842053f1281329206f3d62cf58cf4694de53

Download Submit
C:\VidN2\dobaloc.exe

Filesize
805KB

MD5
ee0a24cf6849ff1a1e2d23ad95f7f9ac

SHA1
e4b608171a890964a21a17d7e0ea82bfd6cb9ce5

SHA256
e3dfbcc159008d330aa71cd362ffe797c6e468a8db4a0619e96e510f597851b4

SHA512
662b292130bd6c50caf18e9c2bbb20959c6e312c8cc4867f37703c4d268dc18e6d8710d0dd2843db406186a431af670e32f44f67b99d82b6e233bd8772b84ff8

Download Submit