a8d31e246e4ca8663cf6ac09c1f9d8f58995cf3d75b3eca4033ed26c3dedbf20

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e36a833cf32d2be157847987c717020N.exe
Size

2.6MB
MD5

9e36a833cf32d2be157847987c717020
SHA1

465f661d7d1630fb1f6d34d4f394dcfab99e3a95
SHA256

a8d31e246e4ca8663cf6ac09c1f9d8f58995cf3d75b3eca4033ed26c3dedbf20
SHA512

caa9650fa7d746805c64ad022523d3b70e4b134cc0bbd58574623f49e89c8fc8bc52f2beba443db624b12ca74358ee15f69edec5c019d1c2291db5c67df211d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUpVbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	9e36a833cf32d2be157847987c717020N.exe

Executes dropped EXE 2 IoCs

pid	Process
2472	ecaopti.exe
2352	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	9e36a833cf32d2be157847987c717020N.exe
2448	9e36a833cf32d2be157847987c717020N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZK\\devoptiec.exe"	9e36a833cf32d2be157847987c717020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRF\\dobaloc.exe"	9e36a833cf32d2be157847987c717020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e36a833cf32d2be157847987c717020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	9e36a833cf32d2be157847987c717020N.exe
2448	9e36a833cf32d2be157847987c717020N.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe
2472	ecaopti.exe
2352	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2472	2448	9e36a833cf32d2be157847987c717020N.exe	31
PID 2448 wrote to memory of 2472	2448	9e36a833cf32d2be157847987c717020N.exe	31
PID 2448 wrote to memory of 2472	2448	9e36a833cf32d2be157847987c717020N.exe	31
PID 2448 wrote to memory of 2472	2448	9e36a833cf32d2be157847987c717020N.exe	31
PID 2448 wrote to memory of 2352	2448	9e36a833cf32d2be157847987c717020N.exe	32
PID 2448 wrote to memory of 2352	2448	9e36a833cf32d2be157847987c717020N.exe	32
PID 2448 wrote to memory of 2352	2448	9e36a833cf32d2be157847987c717020N.exe	32
PID 2448 wrote to memory of 2352	2448	9e36a833cf32d2be157847987c717020N.exe	32

C:\Users\Admin\AppData\Local\Temp\9e36a833cf32d2be157847987c717020N.exe
"C:\Users\Admin\AppData\Local\Temp\9e36a833cf32d2be157847987c717020N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\SysDrvZK\devoptiec.exe
  C:\SysDrvZK\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRF\dobaloc.exe

Filesize
2.6MB

MD5
922060733aab9e5240533c0150267f2d

SHA1
57ea207cae8e648eea6646de6209d9d5843c925e

SHA256
f429b5164e81e72853f6e84b9e58532eb7de188332c300cdf5b933527d021d64

SHA512
a0ec234ac360d5e0f4aeccec5058602773a9ee537d36315d0d20e5e5cd1dd3987cef3482c3c458eba858006995923ca4c213eefb942a7ffc7cd4c882914d59c6

Download Submit
C:\KaVBRF\dobaloc.exe

Filesize
2.6MB

MD5
6a276c5f14166cda2ccbc8be1f4a9eb2

SHA1
fba22fa79d2b1251bad9ea1e60e840a1d0af3560

SHA256
3e4d9c08faff25b8107c3dec01b534e09d3a9af21b24d899bb8e7c666ed3bf2e

SHA512
d9de8562bd917d09c6fb79637dafecc34a59c24877ef865ad97c87c0d8fa92dfebf2fa78d1668b40450107a9fe078ee3961fa8ea19950236b197c9eeff693e59

Download Submit
C:\SysDrvZK\devoptiec.exe

Filesize
2.6MB

MD5
500d696b5670afb442a4897370c0b853

SHA1
eb087dc753b44f31aceb2586357268572165e795

SHA256
4a2e744a3977b1a174712cc162bd5349e7d98c9f758d16335375b253fbc87c00

SHA512
a6853710a381c74f9affb1efbc721af05838137db715d27631fdf9682dde7a13db93f44296cfe2cda92d903e5f87a745bf8f7e2da82e33d314cbcacbf26a5597

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
1d28d07e45266c5f79ae1d6c86300d0a

SHA1
eff1137519a5362187169690bc3eff242ab6011d

SHA256
c9dbbda7d902011da4681ea901620677e39b55c5e3c9ddbf3c501a447f28ffc2

SHA512
629bdf12ee549f0d154adfaff3f67a89b860a90897336f9d68b49cbf97985f4bdb627dc66de9782eca8c179ec661e10eca1eae1661d115dd9d0ad5539d490fcd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
00aba4b2b9403d3c7e42d8e3abc3b916

SHA1
b189d667bbe8913d24246656db7ac6ed1339a953

SHA256
46cd4a39b443fded26873f0ccfac53b0bafe8a036af918451afff099148992df

SHA512
61bf68d4adb53718d7cfa0c20917eaffa855c014ae7697a0cb0e502eefab18b55e484654a23b5fb847d001fa50500714a9bdb3b77af33b34cf573eafc0c42c0a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
673519e7fbb243e130a770fbd8cf0be1

SHA1
eb186282c8a90f19112ea84003fa32a4f0beb63a

SHA256
d657b9d1d83e92114cb6918ffb6e8f0220286853902c4b010f738f6323507d03

SHA512
942683d4631b725372f7d6b89e3509faedd46245182b55fff83dd3c7204eb495e501dccc9dae1b6f3ff7ab9105afd3cb69fefcff167e0db84ffb89b026856841

Download Submit