dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cce

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
Size

970KB
MD5

317c6ab25574d7f469a47590c8d5eb40
SHA1

ff4c7e89fc8e4e91921e68d0e26ce64d8e0984ad
SHA256

dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cce
SHA512

26d0bf9aee001cd20c7342fb1dd1ca8487e64767cae83d82a0847710f8818adb902d13d07dead1e2202c2d76ad96d524bc30813aadbe12403cb19ad92c966481
SSDEEP

24576:RV5fin1sAT4v8U0bue7mRl7muSHDpjKJRl1BwF81Ws:DZ6ue7gNHSjpjK3LBd

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	ecaopti.exe
2332	xdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXQ\\optialoc.exe"	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5L\\xdobec.exe"	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe
2952	ecaopti.exe
2952	ecaopti.exe
2332	xdobec.exe
2332	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 2952	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	87
PID 4796 wrote to memory of 2952	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	87
PID 4796 wrote to memory of 2952	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	87
PID 4796 wrote to memory of 2332	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	89
PID 4796 wrote to memory of 2332	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	89
PID 4796 wrote to memory of 2332	4796	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	89

C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
"C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\SysDrv5L\xdobec.exe
  "C:\SysDrv5L\xdobec.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXQ\optialoc.exe

Filesize
970KB

MD5
eeb52b37049f4e177a77bb9093bf72a0

SHA1
a59432c8bc48aea9cb87527ebca324f37cc622cc

SHA256
b2821840b605da082562bfb02e0d47e89eb1c143f6246ab0d5568f0f61da27ac

SHA512
a3fc0647b3d43a94b6e22d863b45e5c1494d2c06aef060fb1cacb37db15d8e40c4c54a5eba152798bafddc6c0886ccfb6ad8818782f7ff4b09600bcde01847f4

Download Submit
C:\MintXQ\optialoc.exe

Filesize
970KB

MD5
fdcaf708bdcb59db1b88c05207500bdf

SHA1
70787a723cf61db49b55e4fa214dab00cde69b85

SHA256
2cf096459604fe30010928c469dd87784144ae1eacd7b8ed0ab0a8e0ce9aa45c

SHA512
a4ce926b4b04c82339ccac3fcf84f7b0de53ce2e2f44411656b61db49d4d045112b56aeede1c76e90730e6859c4582ac34994326c00c18fab1228cd17dfa55dc

Download Submit
C:\SysDrv5L\xdobec.exe

Filesize
970KB

MD5
7455b431fd45d92d0bc307637059dd42

SHA1
0741c9140de2a677b227a54d627d47c32c24bf46

SHA256
a7834f9a4a0a6255f284011578668209d5c6e0dfbd4d90e799bbe579546d8d9d

SHA512
51bc9c610dadb6fd978e44052c287ae0e0cffec2408bf1cc93f2c4ed551d0048caed1373a65c1020d7c155c0ec2ab548a6464da8b2e53f5d73dc7ea25b440ae2

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
166B

MD5
44287cdbbe6ff8d5b925c00dfaae2f3b

SHA1
efd024a444b255062921a52a39a8d4d3065d4f16

SHA256
d3321ff1294fb7de9aa8ce3bfc57e9547795ceb17b5fd6cec854304cec7a1183

SHA512
4c01802343cf1bdc7979c64ea44279f8fb270d0b326551024255a57a3557b02c7dd54bca18166fc947a96e1c6bcb5b8ca89f7b1484491057edd5ad4b8401dc6b

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
198B

MD5
d84b94d09da07374fa23bd770d3316d8

SHA1
3f322bd05b22ce6b02c14780e0542f4dbdc51c85

SHA256
c8e6c983e37c8d56a84f46145ed3ff037176e3ba5820caf84e62543b6e788e49

SHA512
579c0bb780352538b9c1926f3e1eae0b86499fd6ef418c19c7c69476f0e386c3c18729d5d1516279c1a772a513bde8555a42514b2ab2aa465fc78b7f249933d0

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
164B

MD5
81dc8f6fcd8848b974e07efe42890650

SHA1
cfdc032c3c8455a02f7290e807999d7bf38dac09

SHA256
1732fde890867a4d612ac64f548ded20732c441031de893655f9b35e66b74998

SHA512
0b58aa5bee80035d3f1e29f0077d9d6e82ce58f475ae672580c09177e9004f69390225d2b9f16dffc39433e78934c9417b0702c7280a4cf56d2f04d06687f225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
970KB

MD5
1acddb3ca496c9108ed9abff41bc50f4

SHA1
c6bba9cc2d670bcca87670dd2ed348d84da8172f

SHA256
5bd9884f621eb69e8dcdb0c1325c7f5e598a6dd6c1a655969041425afead3e88

SHA512
657b7f01c328c78419e70de7a1723013f948c24713a989e203a0da133f511f20d05717516791f33cf8d944463df32b1fcf55a083c0e00a887d95b21db70c87ba

Download Submit