d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67

General

Target

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
Size

2.6MB
MD5

f5beed01e362e949e31811b8021784e5
SHA1

1ece4ea2e5c874d197ab369d5f7116fd25b8e82f
SHA256

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67
SHA512

beb7df35b9428e4ee5364af416eba2c044bbf8df8bf3a6e6f590c4bc05be382b926c86835109453a4bb7a711929c934c0c48ce395e8cfb86e6e25de91179ef5b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSy:sxX7QnxrloE5dpUp0b1

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

Executes dropped EXE 2 IoCs

Processes:

ecaopti.exeadobec.exe

pid process

2776 ecaopti.exe
2844 adobec.exe

pid	process
2776	ecaopti.exe
2844	adobec.exe

Loads dropped DLL 2 IoCs

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

pid	process
2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM1\\adobec.exe"	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ2\\boddevec.exe"	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exeecaopti.exeadobec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exeecaopti.exeadobec.exe

pid	process
2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe
2776	ecaopti.exe
2844	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

description	pid	process	target process
PID 2736 wrote to memory of 2776	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	ecaopti.exe
PID 2736 wrote to memory of 2776	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	ecaopti.exe
PID 2736 wrote to memory of 2776	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	ecaopti.exe
PID 2736 wrote to memory of 2776	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	ecaopti.exe
PID 2736 wrote to memory of 2844	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	adobec.exe
PID 2736 wrote to memory of 2844	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	adobec.exe
PID 2736 wrote to memory of 2844	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	adobec.exe
PID 2736 wrote to memory of 2844	2736	d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe	adobec.exe

C:\Users\Admin\AppData\Local\Temp\d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
"C:\Users\Admin\AppData\Local\Temp\d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\SysDrvM1\adobec.exe
  C:\SysDrvM1\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZ2\boddevec.exe

Filesize
2.6MB

MD5
fa5ec97f7c723f1b101a71e705c3fbcd

SHA1
4d53baffbd8eac14a7ca53e8d03dee2dd518690e

SHA256
ecec7e09f5d113831a871a8c5c95b2db3710303b680c89a8181065b6f2a9f423

SHA512
6dbfd4c2573e0a99a1f867a10a6de1b0902631b1dc0d3461a1917223fdb808d50b2246c9c963ec6727bf416028b7544218acb5009512a8a39faa3a5a96f4ae6a

Download Submit
C:\GalaxZ2\boddevec.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\SysDrvM1\adobec.exe

Filesize
2.6MB

MD5
c90eacce0a136c1116d9a46a6139f12f

SHA1
e9741e1abc96cb2e68e89efe9e6cf229cfd75684

SHA256
54f24e3d7db128fb1114371ddc399f7b334a8ec1b5fc8f9dae7f273e2d4a4475

SHA512
bbbfa3e35d733caf4444ed162aaffa6d6911e892b83cef4823c56bf53ba8a2ee8437cc64b76b1e63e3dd3174408787ced9ad60cf4243cdb2328283bb40a32528

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
b13a57bc91c229eb7732fe05eff07ae3

SHA1
860916942e6f1ffbc05fdb8d5d369ee191e66f6b

SHA256
580bff4d40b6fe5c3e67e3c86cc35f72435435a1913472c047b687ccc1adb33c

SHA512
d08dad55964b76dea563f72d9fac2083d2e63bd53c45ea01688e55b7f619ff992689697cd20728ae2119d00b50aa6121b73bae328fc26ffa267e11fdcbe82887

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
ff16b9425e951d67c19345bd5df30c88

SHA1
91405f4f688df57341d2b276030bd6de0f22cf53

SHA256
cb23ef16f5476a54b60bf1277b4e73def786c04a8076042d5b807d1397174e44

SHA512
76c927b5ee52856a42161f2d2a785bf237b8a70dc89fa8467f67587c18f2f2e82797a2c91cdfc737a53f21c15348b31dc86a6dc0e94eba232d119058530bbad5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
f34e78e24e68b7a4dc62a2520895993d

SHA1
d15338f672b7d913b19447588f0bd6e4523e9924

SHA256
5c41133d8e841273951428049fecf65c2a95f252a6fe1712cd04c2c8cda87c1a

SHA512
119bb8aa083dcf1e3f71a62ea9e92b487c385177da61a1f1c5d137f6122a0db2388c3af0bec6a30d0a5379fcec67f8f593aefff9e8a8b0a0d9a6ee98d146c25a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads