305f20ffc5426d0ddff2f5e4a58fc4ef347fef51eb97c51884f184954b43e1dd

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ba56e63a16c88dd288decb2f1311a0N.exe
Size

3.2MB
MD5

32ba56e63a16c88dd288decb2f1311a0
SHA1

0d55bde3992e1ac40a5743c8464c8dc1af2467d2
SHA256

305f20ffc5426d0ddff2f5e4a58fc4ef347fef51eb97c51884f184954b43e1dd
SHA512

f54d56d91e55d5ae95c01cf79cb32895c96624243d42e499d0c66ce61fcfdb4a6c47012849547eb043a0000485eff7cab51728101f5e02cf90dd8f4e28e843ff
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpobVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	32ba56e63a16c88dd288decb2f1311a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4968	ecaopti.exe
4824	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5K\\adobsys.exe"	32ba56e63a16c88dd288decb2f1311a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidE6\\optidevloc.exe"	32ba56e63a16c88dd288decb2f1311a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	32ba56e63a16c88dd288decb2f1311a0N.exe
4292	32ba56e63a16c88dd288decb2f1311a0N.exe
4292	32ba56e63a16c88dd288decb2f1311a0N.exe
4292	32ba56e63a16c88dd288decb2f1311a0N.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe
4968	ecaopti.exe
4968	ecaopti.exe
4824	adobsys.exe
4824	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4968	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	87
PID 4292 wrote to memory of 4968	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	87
PID 4292 wrote to memory of 4968	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	87
PID 4292 wrote to memory of 4824	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	88
PID 4292 wrote to memory of 4824	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	88
PID 4292 wrote to memory of 4824	4292	32ba56e63a16c88dd288decb2f1311a0N.exe	88

C:\Users\Admin\AppData\Local\Temp\32ba56e63a16c88dd288decb2f1311a0N.exe
"C:\Users\Admin\AppData\Local\Temp\32ba56e63a16c88dd288decb2f1311a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Adobe5K\adobsys.exe
  C:\Adobe5K\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5K\adobsys.exe

Filesize
1.7MB

MD5
40e2dbc34f3aa9b0a9f925e699c7a40e

SHA1
c73f02fe130732ea48e8efb33bd4f7dc83978ddf

SHA256
576c7700a5211e3662e09abd2babbf935d6657ccc676dc86589d7e68acfe0ce1

SHA512
3bdbde5957e1a16060a3d06596c3d15b2e751b42a976f0a6dae43bd31c10978afdea4bb458868830faa7b7f53e85b167458b4abd8fecf35fa1e8a93c6519ba83

Download Submit
C:\Adobe5K\adobsys.exe

Filesize
3.2MB

MD5
ca7ebb5b3090953018a9242b298704c1

SHA1
9e45832535135b6c54f0eee3154270bbf1a37685

SHA256
3f863b979f5ee4ca04cfd8fc999126790e51489c900a98fa9939943fc16dc946

SHA512
22d5b3db5bac8650485d028f7bcbeafb912d2794cb7ccda26387c9279f20ed27bfc8d04f07ce46e7ef92b826e18754044fa339b52d7133b7cca5954248c0feae

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
342abe5dfff24d299cc3fed9b793b6d0

SHA1
178de8e0c9f08ca9afa7425887305b136bdc9e35

SHA256
be676e40af325af40eff7b5859d0c9d2ec095d3fd680c8f68f7cb0d24a30bca7

SHA512
9ffc9cb4c42313f9a6d486aaf2218d825d43c70d328b9faf8d1a8a2d9c15ab39d1ea1f08c3131f45993b7ddc69be570ab6ad45c26506701b309f3d90f2111f4d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
e1c0d351da64c849674a659923ad38ce

SHA1
ddb4261a0d2d525283ae280654a51c4b822675a8

SHA256
4b9133ed7bbc56bf9115da86b6d3f02a506529581440bbd9407fcae341933a32

SHA512
3816185bbaf317aa7be371e29b1bf13159c88129f23c9bf28f4ed067a93a3055a661e6451c58d4fc4eee253a72539771b5a3f101447678147c049f5c7c4e3910

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.2MB

MD5
a06ffc60da830f8cef606a97e0d40568

SHA1
759defe3052a2cdb56efc63c884d96451fe59929

SHA256
54c3fb6394f1a9491b1f0b9313ac06c8055a0170632e4072f83a0a3e3c12b85f

SHA512
5078679ee33910d9178d731ce14269230974d5e7ec825cd4478400ed0119fcb932cd758beea07a091690edeb1fd55149ecbef45699e63f722bd9d4af425adc31

Download Submit
C:\VidE6\optidevloc.exe

Filesize
3.2MB

MD5
3c00e27f36d9f0ce816c693e47df19f1

SHA1
38979177425da3766d6a168b1840e06f6d25f229

SHA256
6a43cd5a3f215d1cc5b4f91ad2272e835e1fff5a4f0fce20e74211ffe3e2d83b

SHA512
2d11b3897d891d88721c9fae9d07df55bb7f61453301c0b53208bb27191e19a861c8c879550bd7802a9b770b5a1244cae18462dfb9482daf124e344831e771f6

Download Submit