bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
Size

2.6MB
MD5

16a5e3bf0cce4d68f27f85ae299e04e6
SHA1

6275583c2b419387e870e1faf185973cfb272942
SHA256

bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082
SHA512

c2c1c8a221c555def6b2ea53cd92178bc23904843fc770561525a111730c04dacc1e32beaf771b70e8c641e96c0fab5453b88a19ab85006242d979bb6201dc14
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpKb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	ecaopti.exe
3060	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLK\\devdobsys.exe"	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSL\\dobxsys.exe"	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe
2144	ecaopti.exe
3060	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2144	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	30
PID 1232 wrote to memory of 2144	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	30
PID 1232 wrote to memory of 2144	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	30
PID 1232 wrote to memory of 2144	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	30
PID 1232 wrote to memory of 3060	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	31
PID 1232 wrote to memory of 3060	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	31
PID 1232 wrote to memory of 3060	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	31
PID 1232 wrote to memory of 3060	1232	bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe	31

C:\Users\Admin\AppData\Local\Temp\bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe
"C:\Users\Admin\AppData\Local\Temp\bc58ae4d5c70da980c248176df66ca9279452e266a400932e58ec879a62e8082.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\UserDotLK\devdobsys.exe
  C:\UserDotLK\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintSL\dobxsys.exe

Filesize
2.6MB

MD5
c3d74f307d71f103df1f0c12a395a33e

SHA1
063a67968af89eb7f7174bfd07582fd678588677

SHA256
a01de22b3412c5c579271f8d8c73301c7712de968fd408cd7242b04966e975ef

SHA512
cbb0532be9a84d1321ea93a5dbdd91b34a0d30c5cd7b0e36be8c6ed1894a304af3377799d253a185b50703c6e92d756dbfae80b3293b3f93afb6a809f7159294

Download Submit
C:\MintSL\dobxsys.exe

Filesize
2.6MB

MD5
199150ea5612ee5b2087f249457fda8d

SHA1
16be1714234bc1a1eb4e3bc64795a650f8143fb9

SHA256
b2951cbe2545b99e6e0a6ed576e80be3860d87bbf95e2c26890c9c0e7c7c3f8e

SHA512
e399109c8475af0c8f6090c8fd09000e94360edf98faa0cc80d3f5790e5fee1521df019d1c86ae9cca4a66021921b1bffd01dfd942482a735f0b31e420cdcbff

Download Submit
C:\UserDotLK\devdobsys.exe

Filesize
2.6MB

MD5
567a35064f83bf6cedc2ca138cf5a775

SHA1
352e0d5b3de6e4e4dbca960bc6a4a173237cc2cc

SHA256
364c70fe45dc4385613399d0faf131f572cdf23f770b662f9eabf155b765c6e8

SHA512
49870ac6b28b09d20df071a9d81e6dd883389027a23f5b9b815dabd7664da3572df73815e097076a254bbe7b8e80a07cd6c393a17c12bc14f6582d06bd8478c0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
f765e1bc6794c2a708e408105f268aa4

SHA1
41599d5fd8b225791d51b5aeb4b4829794065a4a

SHA256
4215a4be5a222bd23fc147b232f2e23a9641bd6f6a4c26658177b1da495bfa9c

SHA512
c4deab3b51c0aa3fa618a853fd17b30353fc4ac6b42dbf0739a14821291d2b31e5c7fc717a4581f16c7daf180b6157489a8cb458dfa045f5928d4832f8351efa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
38be7addf512d6f3f6b651ed3fdea993

SHA1
aea579df03fb9f2512e9e9a08eebe1616ea864d4

SHA256
774315f7e9e7de7b6b3cb7cfb456ae2646250154ab7af2db71573ce9f58acffa

SHA512
efd49238f976b6116b82b98fd3143d68220475ca88c79a70465f6a7bc53e051d7c2076a9c88c59efebdb257d9fe7053ce297d3b4117328182285af348e7df0b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
cfcf71587d763b140dca842237ce3742

SHA1
59a751d8418ab2d33a055d700b23f79a1cff2241

SHA256
5ddc89432075125d6cc793857a9b04d527eb86e757fcdb278cc634709aa9243d

SHA512
94f7dfec745d061aee1be5b509aaec2bebdecebaf69d97e9b96e4245465390e4ca39db08176dce9ec7a4a4f1fe6a8ed279a7642496bd7097203821127549279a

Download Submit