8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Size

3.6MB
MD5

1b465683b99a9a059afa5892b0e58220
SHA1

6df1d43c168027e0a22feca76427aa49028f8a9e
SHA256

8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24
SHA512

a1f197898b45681e2729f13d3a936e771765c14a5e1cfc7c5817136d9be0fc6eeeea3270526bde74523e838303c83cfed1751bcfdd770859343671901f6899f6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	ecadob.exe
3052	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJX\\devoptiec.exe"	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB80\\optiaec.exe"	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe
2108	ecadob.exe
3052	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2108	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	28
PID 848 wrote to memory of 2108	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	28
PID 848 wrote to memory of 2108	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	28
PID 848 wrote to memory of 2108	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	28
PID 848 wrote to memory of 3052	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	29
PID 848 wrote to memory of 3052	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	29
PID 848 wrote to memory of 3052	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	29
PID 848 wrote to memory of 3052	848	8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe	29

C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe
"C:\Users\Admin\AppData\Local\Temp\8bb451ebc7994a0acc544264b10ec2e5d34d0d8e9a7cfe4441ac86f5c7a3ca24.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\IntelprocJX\devoptiec.exe
  C:\IntelprocJX\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJX\devoptiec.exe

Filesize
3.0MB

MD5
11408d98d5bc350e10c930a712dca487

SHA1
24ccc86ce4e8947f9af6836633c8cbc4074b9169

SHA256
dee2c107162aeb3c31e8dfaa091c2df7cd040e8a8ae69217cfe3a8c85fd7d2f6

SHA512
c370b463989bbb7060d616ca22993e0ee3bc559951a5bfb2e53351a65902b6bdeb8f05278af1c41daf71580f581d00bfaf270ffb45e71c6f4efbdda3fcf0f44d

Download Submit
C:\KaVB80\optiaec.exe

Filesize
488KB

MD5
ed1e6880379202a5aa23e4a15fd15220

SHA1
41117608cf300a587d662d3f1e26a87851ba85e7

SHA256
ea4f67aafb949faf59b90e5cf0da952d3f139c355d8c7e0cf34eeab56ebabbe0

SHA512
ef47e4fcfe0f6d4e6d8d538e88019c389d227c1d44aae3b117993cc4a86e6c792fffc7d26ce335c9a070ea9a1d07541f7033b7b57c109caeb938f57cb9a140f1

Download Submit
C:\KaVB80\optiaec.exe

Filesize
3.6MB

MD5
b482204117f1b6bf8fb4380a63dfa80d

SHA1
52067176fddca321ca0f7a6dbc3815a0ce34b850

SHA256
932778a9bcec0c5c6093149b13e45a3494a73c32efe48bf8a26d7132e7e2da60

SHA512
bd782c61880ce08dc16cd15acc11fffa0747fe6d2ced64154e62eddf5b84d6a7271d2a957f4614e1db86018b0445edd4524def2afe5623b361904d2222863699

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
c41832f656fb01aa27efb8027a38e684

SHA1
662a006683f310b197c67ee9a6824a3295670ea2

SHA256
c80c3fcd2c33f525372ff960eeec2fa015f74ab53dd109023dbacd607aedb499

SHA512
4114a95ba04d87daeff232ddc0ac5b8e7b57ab9d639ec4e78dc853895dcd9e8b6ffeb3df82723e6e0d5421671b970e1567f89c310a262b9c17eb4178fd0b5f55

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e32bd40d74bb4d4cc4efe407144a6fef

SHA1
abef85edd1388d3181f57cba83dc240c5476b9e7

SHA256
45ecc408e93895f62906434cee3929b0939bfc9b1e496fca35e2e52e5478a58f

SHA512
bc2ccf0c54ccaaf0434d7de673769eb44b6420cf87eac8766804ca479e18589c56aab96c64d627a5cd6d719d6f6e7db508848486f618b77a6cb66054833e0a3f

Download Submit
\IntelprocJX\devoptiec.exe

Filesize
3.6MB

MD5
cd4f8b1fd8b23bf721b99defa775ae27

SHA1
250f831648a6d5ca97071ab3bc7ab938b544e7d4

SHA256
5a4974d093ef16edbd0563fb95079e3298ffcd176405dc4fd1f869001e60b93a

SHA512
e18d37527aaf334a922eb2ae29f1662ac32053ca1220d69f8a5a36989f93dd06bdce22b40c43e1a455a3a0abdf3c214a2eeee70bb1569c3e409f28a37b1c0bb3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
355092df435a2979844b5bfd470fc9b4

SHA1
59300262a734c8f6746ba6765afc7b5b02f23510

SHA256
ecc99dc8ffad2e76ebe42457e681ea1c24ba3695e6d6fade1c11b0e14ef0f530

SHA512
052a7d53113a586e9825c9349b9c6c78662eea25c3c42497f6f3f0f9ecbe6e194c1fc2d9aa151ad0f78fc9e102dc3a1ada26520c1c369e50b0eb1f7d2f843ea8

Download Submit