5bbef01874be4ea423f9f16625f2547780c63ab22f8ff173063fe39c3b1741e9

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20ca8c0641b7da0aea16281c59eb0d0N.exe
Size

3.2MB
MD5

a20ca8c0641b7da0aea16281c59eb0d0
SHA1

34701817287c0550c0d85d594e393556ac9a4df9
SHA256

5bbef01874be4ea423f9f16625f2547780c63ab22f8ff173063fe39c3b1741e9
SHA512

97383f2aa9cffd65f42142c2a2fe85bd020f32eb98c33e20a3e79a838ee374e21564d2420ea3388f6962ade4ff35b479b02fb7fcea0031b8f2c8b75d87292f17
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	a20ca8c0641b7da0aea16281c59eb0d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4448	ecaopti.exe
1992	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJ9\\optiasys.exe"	a20ca8c0641b7da0aea16281c59eb0d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZT\\xdobloc.exe"	a20ca8c0641b7da0aea16281c59eb0d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20ca8c0641b7da0aea16281c59eb0d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe
3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe
3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe
3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe
4448	ecaopti.exe
4448	ecaopti.exe
1992	xdobloc.exe
1992	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4448	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	87
PID 3484 wrote to memory of 4448	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	87
PID 3484 wrote to memory of 4448	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	87
PID 3484 wrote to memory of 1992	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	90
PID 3484 wrote to memory of 1992	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	90
PID 3484 wrote to memory of 1992	3484	a20ca8c0641b7da0aea16281c59eb0d0N.exe	90

C:\Users\Admin\AppData\Local\Temp\a20ca8c0641b7da0aea16281c59eb0d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a20ca8c0641b7da0aea16281c59eb0d0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\IntelprocZT\xdobloc.exe
  C:\IntelprocZT\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZT\xdobloc.exe

Filesize
2.4MB

MD5
a594d1520a3503a8180ef8132a11a00f

SHA1
562b644c7cee74fb63354a312aee09bddb376e37

SHA256
435ca970175fc22368b3f0712a4e224327a3edfac309f17b724f617ff700ade8

SHA512
6d9fdbbc27a723f038d8680b020f1eed7315fdb0afacf8aa783738f2649ff43117860cd7ba9db21f596c1f8ddd1bd62525554e80f6351bcdcd024e95d71be3b7

Download Submit
C:\IntelprocZT\xdobloc.exe

Filesize
3.2MB

MD5
a27f2b47a277b4fa0b4423169ef6a218

SHA1
c6f688faabbaf00702e92c74e02133afc3c56d3e

SHA256
0692ba353b2a7824b4fe5054171f90abf89a7c44b1b1d030fd23fee7a0f43b8e

SHA512
5affb3713ba8a51f69ecc36ddc5344c7ac4abab334a197801971f1f4db162964f1577a037ad43d525aff49bcfb03915900dc95b41a11529ef891c3ce8c472754

Download Submit
C:\LabZJ9\optiasys.exe

Filesize
441KB

MD5
24fdf1bd683613dc6eaf403e2bf3fc0a

SHA1
514be4095d615b68bbdc63bd170d05634871acd8

SHA256
0f982a3788f575d193ca2dbc339744fb973bb3757c640ebefead8535eaf89863

SHA512
d85daed8f6d314583ef4c5d5544b20e193db895ec5ea466f4390ebde97184029b91ef5d794636c5d6b2e3cf7ade48924a26840d49055fcf7c51efd5a1e073bf6

Download Submit
C:\LabZJ9\optiasys.exe

Filesize
639KB

MD5
73b435477dfaf14e25b1d8b23c737c7d

SHA1
a4cb45c1a734079f1cfe75b948cafbb8a15503d9

SHA256
fa8bc0ad340d58791e81fb2a2ccfbf417dcd64313b6a253bb47d21eaf56dd1ef

SHA512
30889d2bbcdeccfd226b52d27fe1d457f3e78ff8359620e24c0b2974124ffe46b3b4c138e7777d2f058bce75c30bdd1976eca851af62d0703b8f4957d7b2b627

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
3cbd48f5a2f1108a1c65895ef172b366

SHA1
5770bc0af7804491f398a90cded453d67e7f4542

SHA256
d6625785af1914a65fc02a6833b811d8a16ceb7ec3254415af362ae7c41a0344

SHA512
7a85b601dab66adfbcfc600ecdf404ca17104bb421afc96e4693ddd6fd4f19337659805502779d60a61109d5c9f9bd4854b8479000d72671acea6b08dc3974bb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b0becb3332b8b4766e947004b82721c5

SHA1
6206c0f0a48a2eb233080044fb64e3601a9f97b5

SHA256
3b56b76d5d8fcef4513ac76653b92e59195fbfb4479aa2e68196ff53ec35a40e

SHA512
7bc22fd986749f770cd349320cce63e36f46b15111d62cc96e1da0b7653a70fad60fe2d84d736b9301f221d4821fc2793ea100d7c6d77e40a7735171a88015d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.2MB

MD5
02c16b5cf7475413ec0c8b84a1fb5cd3

SHA1
874f41ed515c064a0906d9254f90dab6e90e7ef9

SHA256
210543fafdb7816a36c1c983c2d79329f8fe7ba081c480390406ba4ae171cb8e

SHA512
1e4aa5e125478b61d161ef7fec0bd5c71ae05f51953ed354b7921454302d0668ca7625cde41ef63bab53d7c363332e612a0ed3d5a87407ac59d773b6ca802a26

Download Submit