557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
Size

2.6MB
MD5

c8aa68ef14a248bfbe28f8df2a7bc02f
SHA1

d243c92aa51c757faefd6b71b6801b225c0c696c
SHA256

557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9
SHA512

eef992a2559f1c2a576c96e6368e2db9c8d3e3cb66a4f21eec4bb9927755b6ba4586bbd9a8c0ff5b3c6c78f7d510615ff0c8b924196eaa85a9295f70ef2f74f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSW:sxX7QnxrloE5dpUpDbn

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

Executes dropped EXE 2 IoCs

pid	Process
2552	ecaopti.exe
444	adobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRK\\adobsys.exe"	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDT\\optialoc.exe"	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe
2552	ecaopti.exe
2552	ecaopti.exe
444	adobsys.exe
444	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2552	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	88
PID 4684 wrote to memory of 2552	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	88
PID 4684 wrote to memory of 2552	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	88
PID 4684 wrote to memory of 444	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	90
PID 4684 wrote to memory of 444	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	90
PID 4684 wrote to memory of 444	4684	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	90

C:\Users\Admin\AppData\Local\Temp\557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
"C:\Users\Admin\AppData\Local\Temp\557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\UserDotRK\adobsys.exe
  C:\UserDotRK\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZDT\optialoc.exe

Filesize
2.6MB

MD5
63add2a75119cfee283f673251e64bbc

SHA1
127efee328268706202e5b8e75d1e3abd8ff7ff7

SHA256
08ac106a73ac02c2e85f3f8d3c994f5f94a002eaae1809b339895df9e0619b3e

SHA512
a1deea1ed383d57910774a6859f682df6ea4772efc6154809541d1b92b4abf6a6d590e450d17516bc0cdc5a99a89c56e69d3052dee6d9d8b7c11fb122e27a738

Download Submit
C:\LabZDT\optialoc.exe

Filesize
348KB

MD5
e409ed5bc2762d3d9c29709fe6a5ef2e

SHA1
e116f226ec042ff78cac435a55ea8bb42ae97142

SHA256
0a0f4ff4db8f884b8f631ba13a79d426f8ddd79748ef79a481d83007aa8c6c45

SHA512
8a3736507ef958438d82b32c9f167cc4d009d8bccae1dcd0881097e7400124bd49511f714a2ca32f72db25bc7e830d429f8cd28eb5f276bcb158c95251045521

Download Submit
C:\UserDotRK\adobsys.exe

Filesize
2.6MB

MD5
c87a8f9c4960107540ce80aff0a65038

SHA1
f2745b2c4f023a5c43fb91589cbbcec93ae1bf79

SHA256
b3984995748a7a05375aeefc333c486c2ebaa83d2f0496bd316615a842a09d66

SHA512
e8e85d3315111ada57e6442b40e21e80754060c8385e68992e41e9e2df43f44ac3736439d16ee083f58ae2b1dbc770469468f8e7e9f55a920c1b7b464ca2bfc2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
5b40d2036f320ceb21db724dc1794084

SHA1
1ef5b2496bc55c03188ae3720ee8c067b01bfa66

SHA256
7198725fcace29a8270f7124e42a0cfe7a082107905ee200c50de6e3d092e1b6

SHA512
25022c06305aa72ea8dd2f4ddfe6e14c611f608a429e94374a786f690f230dafa44c7f4c33bcf00d7a4164b00d2f21c3e4ca328687fc5536e9e4b940270add2e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
07257d3092bdc1ccc9b46b989977c4c8

SHA1
ed0e9293b2200ac5c7d27f9c5ce6a0c727bac6b6

SHA256
f56dae9c18bcb8e8c5fe1ed77b8d99704cf2a0b33de87190a74db2c77856fe3c

SHA512
ca8a70daaeb6c3f96ec5608acdefe8a46b2ea3319a6b75be793b379eca7d5554ed1ef039ee9592958eb690b01ffc7eb542aee2ea67e517d5b8b083c9a6cbc3d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
96647f684b84b33d62f7fb1dbe451119

SHA1
2bc33941ee2b6b963b8a7430e6c3b01ccbb9f2a6

SHA256
8e450e0f874a13dcf0f4821e0e8307ed077d264ce18e9453bf0714d73f78c68e

SHA512
a4c112896a6e7d4f7fa26a3d573b517add19de863d6b89607d22cc687900e51c0332c0a03c613a41c78c5e91675508eba3c449742b13fa5761a4c326c5d9baf6

Download Submit