02430579ff8ce98e0473e809b160cf838ea80f88ac3dadec59ce432e4d467a8c

Analysis

max time kernel
119s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db305c5e63771a6de82cfe1f03f63cd0N.exe
Size

2.6MB
MD5

db305c5e63771a6de82cfe1f03f63cd0
SHA1

2145c8dc8ad229d58388c6b90d36f3d9a6e1d993
SHA256

02430579ff8ce98e0473e809b160cf838ea80f88ac3dadec59ce432e4d467a8c
SHA512

3b0415bee9974a92b5e6ed84329195e38441076e167f6a0bedc3b66f45bb2c338edf3c5793dcc9d47e9bb3af00d11e13fb3dde6e0f5a91e7854e64ab3a16db9b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	db305c5e63771a6de82cfe1f03f63cd0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	ecaopti.exe
2848	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	db305c5e63771a6de82cfe1f03f63cd0N.exe
2328	db305c5e63771a6de82cfe1f03f63cd0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIO\\devbodloc.exe"	db305c5e63771a6de82cfe1f03f63cd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHO\\optixec.exe"	db305c5e63771a6de82cfe1f03f63cd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db305c5e63771a6de82cfe1f03f63cd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	db305c5e63771a6de82cfe1f03f63cd0N.exe
2328	db305c5e63771a6de82cfe1f03f63cd0N.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe
3032	ecaopti.exe
2848	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3032	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	29
PID 2328 wrote to memory of 3032	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	29
PID 2328 wrote to memory of 3032	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	29
PID 2328 wrote to memory of 3032	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	29
PID 2328 wrote to memory of 2848	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	30
PID 2328 wrote to memory of 2848	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	30
PID 2328 wrote to memory of 2848	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	30
PID 2328 wrote to memory of 2848	2328	db305c5e63771a6de82cfe1f03f63cd0N.exe	30

C:\Users\Admin\AppData\Local\Temp\db305c5e63771a6de82cfe1f03f63cd0N.exe
"C:\Users\Admin\AppData\Local\Temp\db305c5e63771a6de82cfe1f03f63cd0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\FilesIO\devbodloc.exe
  C:\FilesIO\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesIO\devbodloc.exe

Filesize
2.6MB

MD5
90106cff947c00bcf1ade80349004f4f

SHA1
5da70c5e94dedc3e3309d6364ee3da90387a112f

SHA256
06ec91569daa4fa7c5662ab57239062507908222c509fa24f8c31cca0174ea23

SHA512
1084809af4c9d5e591196f8eb85a559514a79c680689dd4dbf502f8572b1bf577def51899b1830fbe6c3cfe282bac6d855794b4e7509c9e84ac1953a8a14b2b5

Download Submit
C:\KaVBHO\optixec.exe

Filesize
2.6MB

MD5
ae4ed0f99e2abce50c8e7fb172faf205

SHA1
f004141ec0bac2821030201afe8474e41e9e2f78

SHA256
4fff25f4b305202f0159c02977bc74880627457a465acb38e98c90206c4061cd

SHA512
1cec94dd63c87e2d01ebb435b47e037600f5aa8c9d634af5b08446fa22c10d5e53d189817daf7423c7ad40130000aeccaf406658d099ff6d0193b8637c93c029

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
f6d24bf66d030730ff7d3c359f99e301

SHA1
9c6975026fca749802ef0e87d46cd072cda2bcbd

SHA256
f7a1915c0db386f19d2ed14c859c82b8a68e011c17b93c85ffb9383183f9dfa3

SHA512
d9ffe0db9013ea61d2c7a0cd546e7bced0bd2c509c82b8799d540a85f7605e3ac2777c876e424f50eb2884be54ad6970bb10a214210abb1d227d32b17a22bca8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
76090904276bd0d6638d61835f26ae5e

SHA1
72957af3e1b59aad4ac09715866f203624708912

SHA256
419f8139450c8125931bb2d8517098524aa8948ba3dedde719558735ae0d226d

SHA512
b757452bf949cffbbb85c2e86e95ac19b701dc04686f85a4fe53e6d9f03402c0fa5873aaf9e87c6784311afb95fa12fc61b26a1f9f1ad859d7a5a002777a8568

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
b4d949f4e89f824c95a6ec479aa4ecea

SHA1
e3a0ec6dd8dcc966df66b6cfc26c46eebf196235

SHA256
9aaab070c1e409ee45765dc2aa564449d767ce2fc84e52c24de17087c5363927

SHA512
4964a92e9634f2e81ebaad154b20feb198bbb631dedb9c7264d6f44a667b79bdbf6b1cc9955224162e7047ecd7d99a0dda601d3ee28fbddb889f5a5981aace7f

Download Submit