e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
Size

2.6MB
MD5

95d2a642b77e56e0c654e312cc82690d
SHA1

bf417eb6f418e7ea9348b022ec134380fc98fc13
SHA256

e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f
SHA512

c16e77f53a3c3c9adb19267086472f5f1b1be0017ddc6b41881b77e9761a4c0e8672c752281e727f5a6856bf48c4577c8cc4c58b338f63329f43a9c999afbe4f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUp/b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe

Executes dropped EXE 2 IoCs

pid	Process
3568	ecaopti.exe
2032	xdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZT\\xdobloc.exe"	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJ9\\optiasys.exe"	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe
3568	ecaopti.exe
3568	ecaopti.exe
2032	xdobloc.exe
2032	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3568	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	82
PID 4508 wrote to memory of 3568	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	82
PID 4508 wrote to memory of 3568	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	82
PID 4508 wrote to memory of 2032	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	85
PID 4508 wrote to memory of 2032	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	85
PID 4508 wrote to memory of 2032	4508	e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe	85

C:\Users\Admin\AppData\Local\Temp\e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe
"C:\Users\Admin\AppData\Local\Temp\e2ec485afad6716d33fe0f22581bbb69127488b5014287ab01855363902da63f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\IntelprocZT\xdobloc.exe
  C:\IntelprocZT\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZT\xdobloc.exe

Filesize
2.6MB

MD5
7cf0ff824d2d58bdfe484d849b329882

SHA1
6d6f2e8a06722fce5499127c1da64df5a371068c

SHA256
4f7d7676ba8cd4d0131bb3934608223119a353cb99a684eadf0d532019a87e99

SHA512
5caf721803b8eac5a1e3ad68084e2f7c5b086137892db3a8dbd53492dad1f7d708ed8d99f69a72b218b4433d23f2e10fb0981a26d05f4e3e4c4a0b98f86cd40a

Download Submit
C:\LabZJ9\optiasys.exe

Filesize
2.6MB

MD5
53c8889789a47184a31cd32d9d29b710

SHA1
005550ebfa49f7d61c2e638b1a9398e4ce0eee48

SHA256
a90eb28cbab7ae4683d54479901b370a318f8d00374f7d7a704f81e43ca3f685

SHA512
95bdb8dfc6d0926d613d87a1cbc67555aee6db7b0385eb1d8fea3514114a34b8d2e6d2f45640a5394408877e6248d3e939e5ed02114f56094a3d04b57a56f7fd

Download Submit
C:\LabZJ9\optiasys.exe

Filesize
2.6MB

MD5
ff8e0c816de73aa3b74891415f085b37

SHA1
c446cbc5eee068850209e19ad2ad2ed921895d39

SHA256
b0edce0c3d7b8778efc41e6f5497e7cd2d633963158dad31907dfdac560c7a8d

SHA512
b4c2fe59cd64f2a1fd75320bb95473cf3db8e19a2d20e5861a993f254c1af70338c5d843bf23b39086e346dec616b8d20e6f7c499b5208059851341728a12a82

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
3cbd48f5a2f1108a1c65895ef172b366

SHA1
5770bc0af7804491f398a90cded453d67e7f4542

SHA256
d6625785af1914a65fc02a6833b811d8a16ceb7ec3254415af362ae7c41a0344

SHA512
7a85b601dab66adfbcfc600ecdf404ca17104bb421afc96e4693ddd6fd4f19337659805502779d60a61109d5c9f9bd4854b8479000d72671acea6b08dc3974bb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b0becb3332b8b4766e947004b82721c5

SHA1
6206c0f0a48a2eb233080044fb64e3601a9f97b5

SHA256
3b56b76d5d8fcef4513ac76653b92e59195fbfb4479aa2e68196ff53ec35a40e

SHA512
7bc22fd986749f770cd349320cce63e36f46b15111d62cc96e1da0b7653a70fad60fe2d84d736b9301f221d4821fc2793ea100d7c6d77e40a7735171a88015d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
f89c96525cf240065630cda8a85ff97c

SHA1
0d3b9a761bffe30cac445d47d110a7a314b2711a

SHA256
5b3b50bc2662fdaab674ffadba440e4381a83b226abd5bcc44a4a713a325dc01

SHA512
4dc94f8f1e0b0af6e964ef3bef1e8703aa8e8180a094c4d0df362802cb5eb123d00abda84a5e5fe690cb837f69f305b1e39de21acc507890b532b3bfad9b3cef

Download Submit