1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Size

3.9MB
MD5

130ce263810502ef67b195be63833750
SHA1

b7549d4be7e7a5fbc4aae431563882caf1ebd140
SHA256

1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7
SHA512

1c450d0d7ddb74e034c76768229a7923ae4cc8654df373c2903a7a04a4c9343d761bbdc4506bc0c514800c73831b4cd0a94903bb0eb05922fb85e467f316699c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	ecaopti.exe
2652	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot59\\devoptiec.exe"	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZB\\optixec.exe"	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe
2808	ecaopti.exe
2652	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2808	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	30
PID 2024 wrote to memory of 2808	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	30
PID 2024 wrote to memory of 2808	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	30
PID 2024 wrote to memory of 2808	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	30
PID 2024 wrote to memory of 2652	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	31
PID 2024 wrote to memory of 2652	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	31
PID 2024 wrote to memory of 2652	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	31
PID 2024 wrote to memory of 2652	2024	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	31

C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
"C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\UserDot59\devoptiec.exe
  C:\UserDot59\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintZB\optixec.exe

Filesize
100KB

MD5
d979ae5cdca31e25dfc617d02e9452ef

SHA1
504e2186364fe6330ce6c587449ba8a70f7f8213

SHA256
8ba7b412d08b4d7fcbb622c06df35188acfd5cb720e4ba793f1be9324a33ac0e

SHA512
b7df695febda38aa2aa68dcfc3997d073463eadf15c0da8e63656350d550f9d0e8b7ba050e09fe48369b8f87f2f5e23923c2fa41b50ee172b992379fade25f94

Download Submit
C:\MintZB\optixec.exe

Filesize
3.9MB

MD5
9eeb2a78f056a0dee679c8937474965f

SHA1
2f4b674826190a5092f4e38afd288b3a8d957050

SHA256
b61d231c36f2f9d2ee3f4c7fe35fc4fbbfe4e66405913243b9030c2e053b4bde

SHA512
7a1085f959c9194952b443639bef7d1e22f69e264927b0530f0d0859a4bdfc757b6dd60c0197eef0a0721eae08cfb67a498eba088d33cae51e287990cc9de91c

Download Submit
C:\UserDot59\devoptiec.exe

Filesize
2.4MB

MD5
e9261f7fdcb833752ac7b31d571cc00e

SHA1
6dfd76366b21490b0b869a04c17b05540ab71b14

SHA256
4a4cd8774209fa1e805583a7de54c0a823c8c117c2379d3a9513eb3bdf18fe60

SHA512
62c1d45034f87074bad15c33de43dff068a6e94ed4a2596937b338521a1b7aaf14636339db84b86c59753b98b98efd7245fff2cc287caf6247a97633b90b79ab

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
dec56a33dc6cfcc0db5f61d5424e572d

SHA1
58d9423dbe04f17c7b1902a36f8be9e9eb96607e

SHA256
72671c5e8ca6e994b017d8613b1fa1495c4b0538926d6d0698241242f6e3139e

SHA512
88009aa325a0dd985f1660f02425c87e0dd95d5474ca33d0e33bb4a8588bdb98965c0a5f1b3e0e83cf405a764e66390a3c2cfae4cb2e04392b000e286243b78c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
3b45fb2424bdd91994f12d1fee8b2178

SHA1
9c7ca533ecd25954a499227a5c78cc23c8069829

SHA256
e787d88a59ef5e272e5abcac744a580778fce59e8278484c8082903837516980

SHA512
84fb82c7190f40ec5a314a480d14d2cc92c51f1f8c3fb69fb1c8260ecab2d2f477a845219456d9d06e6aa161d5df0e5e8abc3660ca7945679f39e03504bc8290

Download Submit
\UserDot59\devoptiec.exe

Filesize
3.9MB

MD5
29af8a207738c3d5de7873ca4fd587c8

SHA1
cab81fbd7f382aa040f673a50e73bac45461f1b2

SHA256
07462cd9dc3d36cec10cb3423bc10d79ab52912606792a9ba4752c62ca6c5f11

SHA512
ec9c8ace930f500c2f4341467e4fd233e085fab73900ac126e592d48220893c46969ecc2a896aba1cec644aa245fbb0c2fad2d58ce845824772922e3523cba3d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.9MB

MD5
17925a6d862c0312cfa7f2db243af5a6

SHA1
51a680c4cc7b52b07ce4d89304dc7a40289c1912

SHA256
32db75ada5e7e79b10b8c7fd0e764f7d41b4dd95d2b052fc15d068288b834fec

SHA512
d0cf54169aff19785a5912b52f98c35762384e80b047f7117e148b3c9d161120ca6f5f37ac429e816a863ec51fe56d7aa722abf19a1c0ccf21222021a53679ab

Download Submit