7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6a

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
Size

2.6MB
MD5

d856c60816dc2658d440aeed9b67d7f0
SHA1

57aef4ecf6d43dd3ee4ce4c5a236ab98b9508232
SHA256

7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6a
SHA512

de5818596eb4b868dabd8bd73a3fa3198c77c4572ca83ed08b4842944e959731667b83c5bb1dfeeaa0ced83b5b5bcc48b1e678f4d5dbdf238171fecee50aec0f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpOb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe

Executes dropped EXE 2 IoCs

pid	Process
1888	ecabod.exe
3392	xoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR2\\xoptisys.exe"	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVM\\optidevec.exe"	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe
1888	ecabod.exe
1888	ecabod.exe
3392	xoptisys.exe
3392	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1888	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	86
PID 3676 wrote to memory of 1888	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	86
PID 3676 wrote to memory of 1888	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	86
PID 3676 wrote to memory of 3392	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	87
PID 3676 wrote to memory of 3392	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	87
PID 3676 wrote to memory of 3392	3676	7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe	87

C:\Users\Admin\AppData\Local\Temp\7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe
"C:\Users\Admin\AppData\Local\Temp\7fad5bca444f792b2fec30f7878aaadbb394296b60637e04d1fafb6f0fd40b6aN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- C:\SysDrvR2\xoptisys.exe
  C:\SysDrvR2\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZVM\optidevec.exe

Filesize
206KB

MD5
367e6ccb113574873abdbf68fcd8ddf8

SHA1
846519410150e7941ec69b9f61cb90490eee4b0b

SHA256
36afd7b2236abd101225113dde44eecb7166921df1997f0b33fa3a0996419738

SHA512
1c19c12a03222d0371bc934f2fb99d2b75622496fd071e30911d9c12166385de23c3b9ddc956632a4a11f85a2807a12b62f206520916bb52052e3d12db2ed2b3

Download Submit
C:\LabZVM\optidevec.exe

Filesize
6KB

MD5
b646265f07f9f16a9eedf6d5027f9e3c

SHA1
a47300f0e83643f499e1b7c1be83a375a1293ac7

SHA256
d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

SHA512
403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

Download Submit
C:\SysDrvR2\xoptisys.exe

Filesize
47KB

MD5
cbb3bec55ce90b6e28b47fd7f2cdaede

SHA1
6ff6a31de3b71aa94154a87e9fe1c8b3a96f4e97

SHA256
84d6d0817ce5c493adf72097a099f376c388f65827262367b6baf6c85cd6c5b1

SHA512
ec12efb466d2b6ac63b222298b91f741e7ec3ec824e4aee5006c2b98bf258012643dbc75c745ac42352fee93a7241eeb7d3254f8bba17a582d7f25d95a1a604d

Download Submit
C:\SysDrvR2\xoptisys.exe

Filesize
2.6MB

MD5
abf480d5df0573f8f808b552ff15f27f

SHA1
a0d1f9f80a891e7c90888e4683e6f82b1167cb50

SHA256
20391c7db4487b3c87876a13119cb4edb5d6dd8d7751021cbd0ca342730e6e97

SHA512
ef43676a0a39c5a9eb49c5e503be19d218378226124eaa146461c943ea18bc027ee117d048d90b5f395cd99ba1abfb2a90d2986e854ece4ff072eebc841f5137

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f441157b0d5eba18fadde90d96bda731

SHA1
5a373a3d0ea10cd766a67adf4ae74d8002f8ed80

SHA256
3031d3da4d770a2296db51e9a7ac58d75735c04f036f0f9cab45d8719bc7a78a

SHA512
13b0ad2465284f2d2e3c67065fee4a2bee0ac3670fbd9c798a58df25fe947f7bef61eb3ab960193ded506d313f4de67f71a7a6bd94398eaf93840f300ddfcd34

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
21aad4f4960cd09518e05bf31ba36a5c

SHA1
68a444ed4d0a26a1c382c591cbc3a8cc7020cf08

SHA256
929eda55ca900ff269511ab527599657d085ae1ffc245de2d1b66560c437155f

SHA512
63bee41647b06ec70ccdb60fb6fde85845d283ce12b72d1c0dc6e86e0d842bf44dddf33533aaaff42d473d2a1aaf7866b9632c426c9b0357e47d920238417d0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
1c059e9e9fe49d5a6abb4b5d3f3b85e8

SHA1
50f1d097b9a746fc419aa6c8b6c2a93c23086e11

SHA256
538a6ecf289467e55d064a232dc4a7ee35cab4820cb750acb44eaafb721b0c0c

SHA512
2fd964aec9379890377ae0492b2b58b7869301af7c52e64238fbdc47a17c2c8dc970251aa9bd0d28ca4b9c2ee6f87f604d86162a0813c05d30e271bd519ca238

Download Submit