05f73c0a6dd89c706215c0187e0133157c74edc5768d21fb76eae026eb6ab1d4

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6666e11de1b68f98bc5eeccbed86a270N.exe
Size

2.6MB
MD5

6666e11de1b68f98bc5eeccbed86a270
SHA1

780ccff9ddf99afc2f8f80523e0db6621ee6e5b2
SHA256

05f73c0a6dd89c706215c0187e0133157c74edc5768d21fb76eae026eb6ab1d4
SHA512

178108402d4a6856bc9e5a60d18e887362226fe8f248151c38c5137cfad5c66d64d3059f51a916e0c64b0104491bcdb71d4436fbb95eb31ccc75f6e928e69801
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	6666e11de1b68f98bc5eeccbed86a270N.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	ecaopti.exe
4752	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZI\\xdobloc.exe"	6666e11de1b68f98bc5eeccbed86a270N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZG\\optiasys.exe"	6666e11de1b68f98bc5eeccbed86a270N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6666e11de1b68f98bc5eeccbed86a270N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	6666e11de1b68f98bc5eeccbed86a270N.exe
1196	6666e11de1b68f98bc5eeccbed86a270N.exe
1196	6666e11de1b68f98bc5eeccbed86a270N.exe
1196	6666e11de1b68f98bc5eeccbed86a270N.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe
1252	ecaopti.exe
1252	ecaopti.exe
4752	xdobloc.exe
4752	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1252	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	87
PID 1196 wrote to memory of 1252	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	87
PID 1196 wrote to memory of 1252	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	87
PID 1196 wrote to memory of 4752	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	88
PID 1196 wrote to memory of 4752	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	88
PID 1196 wrote to memory of 4752	1196	6666e11de1b68f98bc5eeccbed86a270N.exe	88

C:\Users\Admin\AppData\Local\Temp\6666e11de1b68f98bc5eeccbed86a270N.exe
"C:\Users\Admin\AppData\Local\Temp\6666e11de1b68f98bc5eeccbed86a270N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1252
- C:\SysDrvZI\xdobloc.exe
  C:\SysDrvZI\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvZI\xdobloc.exe

Filesize
11KB

MD5
4b15a8dc60fb28ba194308947f8d0bdf

SHA1
addcf6f0cc5dc9577f5354dd3efdf91843caddb2

SHA256
eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

SHA512
35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

Download Submit
C:\SysDrvZI\xdobloc.exe

Filesize
2.6MB

MD5
c9dc0f54e9e5456b11adee88b3dd3906

SHA1
ed317a787e954bd1f3cec11ffba7bb799990fbcc

SHA256
8dffe6ee1055a929e21e4bba1f85488eec822d873c62c325dfaafb9c15355f58

SHA512
9c6ca8ff3f434dcdedc71660dbb7eebd88382a070fa549bc2659504387401fbc2698865638efb4a68b14e26ef8fcb534add6ff2ca50c8c5fe5c6068dad225da8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
794ae73b6d729f779cd909b62a77001a

SHA1
d7842c88bcc0fa8056a537d2c1cc645953cd7e31

SHA256
472a7237aa4ae5f379fc6c618744686a61d7b3d38b1912ce0ed893c4915ff10a

SHA512
247958f50eec44c26998c54506494882a486819879bb70051df608b82ea1c027f7143e2bbea9e3d9e785d5f83496cb57f7a9528b34d1c6ed365d4460a7ee1c0f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
e916deab6e21edab2847b3670907026c

SHA1
db7d37fda06ddfba60468891c8e6382cbae00b97

SHA256
eca9647a351e2a4d2ef62bb6c82ecf41447b30a4279d3b566052b97cfd23d5ad

SHA512
3620d175c80116b73cea5070e1474e318241760cfa6ee8290ca7eeef1b8d10ddf618fe8c9ddccb4cc0545296616f9b7325e8dd7940ad4494abb744d497f851ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
564c79ab492196c6439bb23e1763d2fe

SHA1
e5f72ced83987b970ee6b99ed84fc72422c04e94

SHA256
db6386c0929a1bcc24b8c91507aa33abbfa8a5ec22795589b8bc0ae09703f997

SHA512
dc232af2d930866d3d43da0ceed3ccc05c189f4399292c288b718e316cd34a147bd444481f15349dacacd9a02e1ecbd8670acb9f7698882cbe71cc36b239587d

Download Submit
C:\VidZG\optiasys.exe

Filesize
128KB

MD5
cdb9a80dbb357fed6575882ef46b7c1e

SHA1
4fc6a849e7a3521a7242b9ce711b897003524431

SHA256
6267a3066577b6f8ef631954e67ca2bf29489db29e0334d2a0a97cf2bf2fbbe4

SHA512
e3e71dad55b38b9ff09840bdaee0b7fa01151ec48477ed457b9bd3f6f983ecd3eca407dbc24eab20bdd13960aa11ef5879815d53f5ae3e8a0e6173ae8d98b686

Download Submit
C:\VidZG\optiasys.exe

Filesize
23KB

MD5
92e05ba3017090c77842fb48869867bc

SHA1
6daf02c129156f59bc6defa6b1f3a93c9e3e8df6

SHA256
194123ee36bc4cba1627c299fdefa4997784b9500b613312e45794c77ac92b87

SHA512
26dfc6a1ba28fc660b5ebe9ad0ba738c63153219c91b3eec80a3228467813965cc374edceb619f3c6bf17e6d8df54fe902958e15591873b3893d71ccb9cb020c

Download Submit