bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db00276d6303371ff33d01daca3daf00N.exe
Size

2.6MB
MD5

db00276d6303371ff33d01daca3daf00
SHA1

04f3de19e7f96461bc5af303908cd0f7af4103bd
SHA256

bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c
SHA512

e90ceaf4b44e82c88b07ce420f6135e72bc70e95772cdeee7262e7e9f75d7fdef3fe253117373e9c3a1e24a1ebd4a726363f437f74c8c2d552bbcd8f156691a1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpib

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	db00276d6303371ff33d01daca3daf00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	ecaopti.exe
1972	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1Y\\xoptiloc.exe"	db00276d6303371ff33d01daca3daf00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIW\\optidevec.exe"	db00276d6303371ff33d01daca3daf00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db00276d6303371ff33d01daca3daf00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	db00276d6303371ff33d01daca3daf00N.exe
3980	db00276d6303371ff33d01daca3daf00N.exe
3980	db00276d6303371ff33d01daca3daf00N.exe
3980	db00276d6303371ff33d01daca3daf00N.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe
2240	ecaopti.exe
2240	ecaopti.exe
1972	xoptiloc.exe
1972	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2240	3980	db00276d6303371ff33d01daca3daf00N.exe	88
PID 3980 wrote to memory of 2240	3980	db00276d6303371ff33d01daca3daf00N.exe	88
PID 3980 wrote to memory of 2240	3980	db00276d6303371ff33d01daca3daf00N.exe	88
PID 3980 wrote to memory of 1972	3980	db00276d6303371ff33d01daca3daf00N.exe	91
PID 3980 wrote to memory of 1972	3980	db00276d6303371ff33d01daca3daf00N.exe	91
PID 3980 wrote to memory of 1972	3980	db00276d6303371ff33d01daca3daf00N.exe	91

C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe
"C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Intelproc1Y\xoptiloc.exe
  C:\Intelproc1Y\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1Y\xoptiloc.exe

Filesize
2.6MB

MD5
93cb38b58ea413647581849801894323

SHA1
dea1a9409c1e2e755861808d1347f168f25b8e20

SHA256
45dd0b9b5e8f85b667d9419db88a130e7d298601738afc62b97d7474a8443968

SHA512
b63ea2b5cef7cf1862c053b7a9dcd93654c29127655bb05d07bbcfe6a5e0bc6d685523de6a8e7a87ab9e6cf5ad9f184cf4a9ab76dd3ff5c17a640c733c3bd501

Download Submit
C:\LabZIW\optidevec.exe

Filesize
256KB

MD5
b3ab996ff59c6aea5e1a2915a9e8aeb7

SHA1
b5c7aaef814b7982f52b7ce36668ed4dcb82b934

SHA256
f5b37472689368d417d48670c8fb456672adf63232490643311ce72427783ee1

SHA512
3449d47f16c312162f606b8496898b4f7a3587ce5c15ffb6ef1ffcc5aa2d024e2289997c3e4f6c8c1507c5719b52e6cd4c81ec2caac86719c9d302f99d65aa04

Download Submit
C:\LabZIW\optidevec.exe

Filesize
189KB

MD5
43ad7e251790c7e47b6823bd030db779

SHA1
ebcc886fc2ff87e2f3da6024e55bb752bfb09198

SHA256
e9bc73029b679eaca4a029fb2c3c07d776caed4e1fda9d829fb87bf5bfd8a6df

SHA512
2ca78f61949de2433d291e1aa9fb21aabaa662297c0c6b1b5116ba8433f1b3d831774b35be789a23752142d5c0d2e915e4001d59ea63ae28344dad61f4c30809

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
ce86486e35d917b939b257a0440484a9

SHA1
32482029b1c86a89d351ec2236c8e6d91f92690a

SHA256
7a529445cdde18c1263bf9a03a0046a6481f958c96f3d167c0d32472e55581a7

SHA512
dfca6de49e2b65dc869245234cd2affca439becd240f2f10c8442ebc9a7b1888ed92d562e53c6c25855c7f190c0e68cea150b8020ec54ade73e0aee337d46cc7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
d40bb084383d3d37ba4a634418e3bd1d

SHA1
4399dabcb68c0bfb84cd40d70c1d8ebe8896d332

SHA256
0e0bb1efb5162d58d997545e1b512f728b85b6f0c3e393a04e75d31dc7d6f5bc

SHA512
9fe15b65f69c1ea190e6ccf650866fdbde44eda3b6ae64379c3ee00d4e993cc1174e03cd9f590ebcd17ffbc055bd651923c529724f05400f617455b8535171d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
2d3479933b19db1f94dee459fe732b69

SHA1
821bd5e21ec4f20de5fc755419a9abfb7221123e

SHA256
0f5b841ae313acbd1e53b9b7e25ebb14b3116fad867ac1cb56e9b2cbd4e07a95

SHA512
1dd8452717d3d97ef163ff5f588b160ee067a064b0082ac1c2318860b5e6b95e3296513f947e7ae21820aa06196d62abda991634e758250b436833799b78acaf

Download Submit