d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
Size

3.6MB
MD5

d878c955d9081278cb8931d573558e5f
SHA1

3c27ca895e6ffa55e97e881db5343b73e39533cd
SHA256

d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e
SHA512

5fa7f01f14fc9843f96f4bbd939986a6454f9741825b860174c11d31e49a36942ed76c4118a36783b3d7752824563ce3201f1ced0db109e0d2f2cf9674efa59b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpPbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe

Executes dropped EXE 2 IoCs

pid	Process
460	ecabod.exe
2000	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHN\\dobdevloc.exe"	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPC\\xoptiloc.exe"	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe
460	ecabod.exe
460	ecabod.exe
2000	xoptiloc.exe
2000	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 460	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	85
PID 820 wrote to memory of 460	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	85
PID 820 wrote to memory of 460	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	85
PID 820 wrote to memory of 2000	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	86
PID 820 wrote to memory of 2000	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	86
PID 820 wrote to memory of 2000	820	d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe	86

C:\Users\Admin\AppData\Local\Temp\d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe
"C:\Users\Admin\AppData\Local\Temp\d6b810b58c554228c3902de31d960ac23cbc9da0b86fa78d9e9f436fc85cad0e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\FilesPC\xoptiloc.exe
  C:\FilesPC\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPC\xoptiloc.exe

Filesize
3.6MB

MD5
98e3bb4f380fb47a215a22f7427212ec

SHA1
ac6e11ad565f389a679ce2fdef5140daefa02ac9

SHA256
e50ca319069c86d293bb07c8b334a0ba4336088ea12574039d0f3e575251ea58

SHA512
9053db32b158579921a66fb44e594da7fff4a0d858b01f8172bb90a9aa41eed1442ed052cd3d6b1c3204892bdc752a22bab8989e84a33a10cb0d91743b5421ff

Download Submit
C:\MintHN\dobdevloc.exe

Filesize
718KB

MD5
b38e8aeb17d02c09c52c077b376d5543

SHA1
711dcd5eec7052eff5659e0be1de372eacbe06fe

SHA256
c7ac5573fa0da1c15ca73e996940e79c720efeee018fd0615839a16dddcfffae

SHA512
9a60be4ef86dc91f02f5f729f5fb58d5af0bcf3ba63faaf119b14916638c2b8d62187ee28e20d198e7f3e82c2c6154e82d2569e206e0f8d6fde1f0bd7e9490cb

Download Submit
C:\MintHN\dobdevloc.exe

Filesize
201KB

MD5
a95f3aa587bfd7e8c4d814571ec093b8

SHA1
55b5258164c433ffe1817fdbdd6f553c64801e45

SHA256
4852daf8a032af98883f880f398738355844394fe9738a730407db5b270f5ccd

SHA512
d6e450dd7783426a319ad0945feb303f003cd2a3745f2cd57548ab445ff29c1eb85495170d9c126f89d1699387787585c773dce8cd99f4f8b2fde158b06143a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
f5ae656b715120e29e060b180704b14a

SHA1
4dd5da43a1b6f658b32b936c1a8c1575c32536ad

SHA256
7ec704424e02ff23eb8db4e4a1609a64aff3d4e7bec55a286e0fc06d7abe7033

SHA512
0a55eb45c729ea02348777dd40b20f1fd3550549f98c8a405cc171285ae9c1cdf70a0ae9da807f30be10c4a7cf19648a872d6a2d589c449821da559d2d400ba7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
978355557fc613e4a8136326aca012fb

SHA1
31a49374c5567d2a798d625d286890d2b1af3c05

SHA256
9f966ba75bd04081a2a89a0f6d646df4b295995d75137ec21faae58cacb6ac9b

SHA512
867c0d8797f90c5dd6b45d2c1198dd9731e9ccc2b925a7e0d30b4af6a4ba51e6002ac9cbe8893ca649709882900f4fb41a00d35a00d5a6877c1e620dae11a283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.6MB

MD5
7ef105500c121e0e75db20374d8ed9e0

SHA1
c2b72ee6cb0e881b3fff8ebee5b2975349f4c5cd

SHA256
6b970c75a2a3f72280dede059de8458f1e14007fe847b484264a415fd8f101b4

SHA512
4a07136d1bab978c93d5c8369ba9032370d46005a2f539456949735a9f761af2f49fae088050885ca4c030f6c0b59cd2a14101bb431d7b5d00131164082935e0

Download Submit