f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
Size

2.7MB
MD5

aaa9a656f2defb56d259463c4213a9b5
SHA1

3bc3774fb3866f84983d8a19fc642b3433a80a3d
SHA256

f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127
SHA512

4b0d3cf4b0bd7ef72bc77ec85e7fc9921d7004d2de5c686dddd7e6fcda43d605629ad47bb3ec4af35d7ab4ffea488168b817f3d7e898ebbda0e6a4d2b82734f6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSq:sxX7QnxrloE5dpUpLbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe

Executes dropped EXE 2 IoCs

pid	Process
1008	ecaopti.exe
564	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYY\\aoptiec.exe"	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint28\\dobasys.exe"	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe
1008	ecaopti.exe
1008	ecaopti.exe
564	aoptiec.exe
564	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1008	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	84
PID 1328 wrote to memory of 1008	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	84
PID 1328 wrote to memory of 1008	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	84
PID 1328 wrote to memory of 564	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	85
PID 1328 wrote to memory of 564	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	85
PID 1328 wrote to memory of 564	1328	f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe	85

C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe
"C:\Users\Admin\AppData\Local\Temp\f851365670ab23dc1b3e31fdf0d788e745d50b1a57532960e90adbf77571e127.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\UserDotYY\aoptiec.exe
  C:\UserDotYY\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint28\dobasys.exe

Filesize
665KB

MD5
d9be09c22dd60c10a18251e18e510417

SHA1
3f3b51be9b29d61674e8a196dfeba59c2ec0f36c

SHA256
8cfe96e643ec26a9b5389934a97cf6a3d4d6b7473840c277c5389f568d898475

SHA512
aad15da0702407670daeda2fc0d7fa6c43e1e067cdcc4d245726e2726fc5098d32c803698c8b67742e7f8b796ca9f2ed095af80b9aa4ad5f926f1ccdb73cf2e2

Download Submit
C:\Mint28\dobasys.exe

Filesize
2.7MB

MD5
806c8e8ba8eaf25d0612982311ccaab2

SHA1
7cf6dbe051986b6f512c07fd9eedb5049d6891f1

SHA256
48e5a7c9cc33ca81b29fab6544a51830573bd6c361c43c059458e68be3f6bc00

SHA512
d5758d73ddd1a9a997fb650b1e8c193abddb7301f5c6e2cca20bf39c555bb91dfaf00bf1ff6360ba0874d5ddadd0cf5882403853ea5aa7b5a85fd8f021e21d37

Download Submit
C:\UserDotYY\aoptiec.exe

Filesize
2.7MB

MD5
9d08dcc2dc62dad992009d7a8223437a

SHA1
a616f37d57e085db4c5b7804131d0357c22f61e3

SHA256
62ae2c9d18f12fc326c04b3d50cd2362d6ade5bef86a739308d3791365f008fd

SHA512
5d4cfd2f6f5dc7a8bed8b5c7d26e31ae7965c5989d67194f361dbe07b774b3623a6876c9903ca7ac00102469dcf6d90b44302bd7ffceef462da9108bd195a8cc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
213bd30b98e1d19eee12e00f90f60664

SHA1
00bc27ac9bbb627424ecfd1edde0aa3c8e7b500a

SHA256
74998167e726c310980238b1ddaf77ff3d9068b5f0b36c2d9b8e28ea181546db

SHA512
bbc9200c34b9edad63491c772418c7e9c691cd610e6d4311cfbccefbf6abcc5601c5811413232e6dbfa2dd21006f4700425c2a73b5c75c37043ade091b90d817

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6998598748fb5a4ea59e36a8c22a6b34

SHA1
66fee5287d732af10fab94300ac3f6c32541a677

SHA256
f52b5112a6dc303dae553c6a2001e3d2ff8f4d930555252bc3832b88c5874b07

SHA512
9382c89b83b696f9189b1f1942593df3206d725e889e059a9c800d434f46e422e1ffbb050876a8ca719ec5b856c9429f83a716c27074074e4b8ad1c046e46cbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.7MB

MD5
b2d9a54e937774801882f27b7820b0bc

SHA1
1bc7eb68c68c56399615c0049993b30a27cec5d1

SHA256
1c9f96d4e39a4bb3ff2f09dd22a8c242f122c418abef4ad4a46c3279d38c9a01

SHA512
c10d2c5572086a4761f5e0759e902f3a2ca647a5a8804d250f666e15655bb6422ee18a5726a60f38913f0e64ea4f9ed14427c36f12e34bb0104fa68536319d24

Download Submit