0730817e8d8238c704d859f4be078324e907dbf4a885566f84de359080b13697

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7f9a803c71005a3869e9e9b9ff6d00N.exe
Size

2.6MB
MD5

3c7f9a803c71005a3869e9e9b9ff6d00
SHA1

583480b18f6ab06a57cc4b0f5d757f4e08d7b47a
SHA256

0730817e8d8238c704d859f4be078324e907dbf4a885566f84de359080b13697
SHA512

20a8b02ab3bd20cfd41d03addbd52ca3dec4600094f5bc04dff4b6e5ae55be132438ee211b2f5d5bb43c0591b0e110e6f05143dbdcf0c4ca6af2813ab5702ded
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp2b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	3c7f9a803c71005a3869e9e9b9ff6d00N.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	ecaopti.exe
4792	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMQ\\devbodsys.exe"	3c7f9a803c71005a3869e9e9b9ff6d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEX\\dobxloc.exe"	3c7f9a803c71005a3869e9e9b9ff6d00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c7f9a803c71005a3869e9e9b9ff6d00N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe
5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe
5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe
5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe
5036	ecaopti.exe
5036	ecaopti.exe
4792	devbodsys.exe
4792	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 5036	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	88
PID 5000 wrote to memory of 5036	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	88
PID 5000 wrote to memory of 5036	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	88
PID 5000 wrote to memory of 4792	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	89
PID 5000 wrote to memory of 4792	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	89
PID 5000 wrote to memory of 4792	5000	3c7f9a803c71005a3869e9e9b9ff6d00N.exe	89

C:\Users\Admin\AppData\Local\Temp\3c7f9a803c71005a3869e9e9b9ff6d00N.exe
"C:\Users\Admin\AppData\Local\Temp\3c7f9a803c71005a3869e9e9b9ff6d00N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\UserDotMQ\devbodsys.exe
  C:\UserDotMQ\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintEX\dobxloc.exe

Filesize
423KB

MD5
472d3e57da254bac56a4ceed8419ade2

SHA1
76b0ed92b4e44efe7146fa4d1dcba1cddaaa767e

SHA256
9706cf256ba96219ecf6d731da25477b25acef5f8c89926e6e5ee07f792190e8

SHA512
d5865d59e925777974c7efbc1fe36dff58dddaf55f43a902991018ef9a5c5ff6eb000cfe549facfdb41f43a395f7a5976fe8b075a81a192676994dedf78b432f

Download Submit
C:\MintEX\dobxloc.exe

Filesize
2.6MB

MD5
2b79f2e3398000e3d3a64804d618da49

SHA1
29636f78612695a21f9f625601b8ef78b67b6ff0

SHA256
5b19926304658dec20649be8cae9dbdbb71d1abc31c4323bf01a0cc843929af4

SHA512
bd591c3bfcff9a796da87f62457e21680ac7344314b1d4f2e1cdb29c788bf01960bc7d79919e7b634a99e8d166da530074128839461b4dae82e594a627276879

Download Submit
C:\UserDotMQ\devbodsys.exe

Filesize
2.6MB

MD5
99715f8c883d63f62fd182c0ea053a22

SHA1
598e5afafbeb6b3e27c31e811d10d03dcbe391a7

SHA256
4137d06536b449d75518d22cf575ec1df01c2eaa641e0449deccc89b403f6b41

SHA512
4400eb5fde7c46ab2032e46b1264aac4043b76e8052e7df7bdf24ad3e407820253ab7f73866e914c0425fb33a48bb24b684287fd72e9938684eda16cb0a3713c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b1beb4bc495ede63d7779c0eb6c7e172

SHA1
06c89517e6f0efb1e941718ca411214a4ff91ce9

SHA256
2ec456cd8cad6d9c09458b4c016b027630f7f1c0c11ba86b68340540594c5bea

SHA512
ee9f9097b3c8b37a08e571b76d5248f6306f0fabbc5eba0a10a4a2a41641eee9e3a2a93619b7153040ad5c5f04e79cdd9b2cdae280291f82c8bf44d425e40015

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
864308bfd9e2b6c48f6d07c4a736e95a

SHA1
9cb7422cc6a9005b22b4117afad4500be1c0c247

SHA256
5ee3739059d1ba08093a29b54f1b76fce80f4bc23670ded2c4791d7ba56c419a

SHA512
1b9ac40a0a4cb109b308b7e217803f0b08b436000dce579fa1ef968f1610523d06ae5e86f924e920c9a60f107499d288825cd340e4c00927a9d8639c59d16a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
4a9586cd7d4edacf3818d47e42a9fcc5

SHA1
679d273fc4345eab6fba228cc7b6f29030dfede5

SHA256
72835c3950a71be94e3c3588cde307e09fc22451b46a9cba8f303ffef924401a

SHA512
213eb4c52fe0436da6ead0ee89890db2509c54d4932f7faf3df2f2460e1fc183f1aaa4f5b709ed51aeacfbabe5eda160e875d5447005bc123081a261ddfb6aab

Download Submit