6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
Size

3.0MB
MD5

5e6ce16ce37d802d8a0a0c1b4f6484fc
SHA1

967c73724d5be7496bde1204ab585e9e3af51824
SHA256

6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588
SHA512

a374ff050da7297c66254ba87ce86b82aff416e424776af13f19b76c52786fde820883833558b94d11379e4d22d142ffcfb464fe4099a59da2edd877fd893520
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNX:sxX7QnxrloE5dpUpKbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	ecaopti.exe
3068	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZI\\devoptisys.exe"	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNK\\optiaec.exe"	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe
2148	ecaopti.exe
3068	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2148	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	28
PID 1684 wrote to memory of 2148	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	28
PID 1684 wrote to memory of 2148	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	28
PID 1684 wrote to memory of 2148	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	28
PID 1684 wrote to memory of 3068	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	29
PID 1684 wrote to memory of 3068	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	29
PID 1684 wrote to memory of 3068	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	29
PID 1684 wrote to memory of 3068	1684	6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe	29

C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe
"C:\Users\Admin\AppData\Local\Temp\6eb8861b82e3cf762a0469f542123907cdac790ba122ae35236980d536763588.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\UserDotZI\devoptisys.exe
  C:\UserDotZI\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNK\optiaec.exe

Filesize
3.0MB

MD5
1bde9993f3da4a262940658b4e7a78fb

SHA1
1b7e69204fad6c3c08ee17e8183207c5e290e72b

SHA256
45c8d7956c3dfae944fdc5479526a2f6c960df848c79021f5c91034045380d28

SHA512
c2a7146cf1e3f452332bd1d01fc939201f54ca74e3699e245da6a5241c6a9dfeb39e343154dc22f7e26468c8aced356f9b0b521b8f59c1830fd3090440e29de8

Download Submit
C:\MintNK\optiaec.exe

Filesize
3.0MB

MD5
faba7386e9b1bac864d9a670c90992d5

SHA1
c6082716d5b068743a7905ead7792fb252d71845

SHA256
22b1ec9cb87e4df2c8fd2350643420586c18b10908da6a3448511975f68f79c0

SHA512
044d2a5bbf6a8de08f83e7b10fa555ee041726b312a76496457382d91408ed9284d5edd374606a7b8312918cf8e00ce8051fe629bcaa0fcf13d4f6345513cf0d

Download Submit
C:\UserDotZI\devoptisys.exe

Filesize
3.0MB

MD5
06b9d1e6748cdb6533a320f2b814bdc4

SHA1
5464b51495799d5bd9b8f51e30080294d4c17ce6

SHA256
e52c08515379c7a7e937d9199f149d5f7cc2017a9a618275b7608f522825eda3

SHA512
debf06306f672cc220bdfc3d23d12ef0f651bb429e5d14b05660606506988228393b0592f2b6410df0b84523f44c2fed8b86c6db2d0a8819822fd44a34a069b3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
ca09ecc9a51126c8d21344417bbb505b

SHA1
20451a0c3bb53f9f74c9df37020c07818718dbca

SHA256
2bdd138572ac318878635a33e77ba99f19d40dc434ead873d5bea5afc11f3304

SHA512
6889a7d195ae5d89d26f229107e253467ed516674ecc73a6892d6b024542ebf1fdf224ffaebd8ba95b2a20c740c61c08cb4e5913e09bf9d5b8188524d509e39f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
0bac392ee3fce3329ec4f831e0db3a5b

SHA1
6fafcfb5be8c7e653c25f2182d11ab4e45c29f2c

SHA256
22b989ee0f97fc55f53dc1620640bea6f7d424e498ec4921c8dd891b6366d247

SHA512
39da10363060ec8b155761e0ca987ebcb6258f1a64e080d053d98091bfb49fab20afdc6184d26cc86f8741e3b86a127ced4ef09bbc547fbf82b46ce107a20540

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.0MB

MD5
f1fde10c9029e66fdeb08fde0fa79068

SHA1
9e060f52195252db42420315e7b9e1585ec6ab81

SHA256
40bba84ce54bfb861bd0c30b207e4af5e49ebf8ea3dbef0f84ec8876c312bad6

SHA512
072e55af43152c8a1b62318b460e05a3ad42cb7845552e2691e88c52df94be34e44a7dd7d3893222942d948e72cf0c361045cfc8e925bbc70f6ea576fa8950e7

Download Submit