eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62

General

Target

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
Size

2.6MB
MD5

b7c3d62cad5a0e05f0a2ba6738d4b724
SHA1

ac5aff487b1542b78dc24cfee2ed8d3987a05c43
SHA256

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62
SHA512

260972e6476eb96218de6121782cd94709b59941413ff3fd873b79984e3acb513e0e7b3c96f9ccd5b0c8a5137a018529431b13ba83275c3d2175c9374437b89d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpbb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

Executes dropped EXE 2 IoCs

Processes:

ecaopti.exedevdobloc.exe

pid process

2328 ecaopti.exe
2324 devdobloc.exe

pid	process
2328	ecaopti.exe
2324	devdobloc.exe

Loads dropped DLL 2 IoCs

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

pid	process
2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc32\\devdobloc.exe"	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidV0\\optiaec.exe"	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exeecaopti.exedevdobloc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exeecaopti.exedevdobloc.exe

pid	process
2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe
2328	ecaopti.exe
2324	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe

description	pid	process	target process
PID 2888 wrote to memory of 2328	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	ecaopti.exe
PID 2888 wrote to memory of 2328	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	ecaopti.exe
PID 2888 wrote to memory of 2328	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	ecaopti.exe
PID 2888 wrote to memory of 2328	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	ecaopti.exe
PID 2888 wrote to memory of 2324	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	devdobloc.exe
PID 2888 wrote to memory of 2324	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	devdobloc.exe
PID 2888 wrote to memory of 2324	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	devdobloc.exe
PID 2888 wrote to memory of 2324	2888	eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe	devdobloc.exe

C:\Users\Admin\AppData\Local\Temp\eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe
"C:\Users\Admin\AppData\Local\Temp\eb07a811518541ef5d2111b0ebc6927f67223450888e00942242367f55236c62.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Intelproc32\devdobloc.exe
  C:\Intelproc32\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc32\devdobloc.exe

Filesize
2.6MB

MD5
435ed27504d2c6bb6f9437689819da60

SHA1
47d2678523a2679ac3dd3105d63809784a5236a5

SHA256
1a326bc926db3f022de5206f60643416c78f8dc9c35faeb13a5311bec51daf41

SHA512
bea5e4af14f282f749d8e4c6f0d67464427af34d9fcf4b34be898958e2f7ff07231748d7982f57fa3cab8a859d39048dcccdf9486ee0860299d20ce6cea113b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
8f3563447d7fa2ee4114d9edaaace28c

SHA1
b80d328397563081ec5b181160e48d6d3a9ba9d7

SHA256
1de9bd200313ad70be282191cd30ac039d6cecd538a4f5a062bde08b7e51fc2f

SHA512
e43758e6ba5e0182efee8c7254629aa11af99860cc230abe77af661b827c15d45113035d8c94cabaabc552b69590a966cc5b9c662ae586e53f216989097c0bc7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
3df6ee48304b79614832261f981092f4

SHA1
fcc1a5b69410b1b5e1e8ea7b1d68fccb70277385

SHA256
bc4d3336af4b0ed5ba7085e664c1967a7eed2931c86a4c32f9217a0edf3002d5

SHA512
c1ad21578932b4a6a98ddc63331c71e2a2cd58152aca45ff2eb01dd567e43269122169f4536eaef30bd46a5d92415e275bab4c9f7d18e9429f7e4b6c877bc1e5

Download Submit
C:\VidV0\optiaec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\VidV0\optiaec.exe

Filesize
2.6MB

MD5
a1251bda35113fa87939fff7989ef70e

SHA1
78b84bd09f566ee15836ae39ee7ae540d176149b

SHA256
f4fe44429b7b870a4f31a5471b25774c9b2130bea0d27f733065ce718dea0ad9

SHA512
9de44b9af470fdd1f80832f22fa23feae3b6d89134a961354f9d7bb23b6dc4f461799bd8ee75f5f34280365da88b9a3aea7c1a3307f38841d1f0d5a46fee65c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
4bc94298fe70c4e6627584dcf704598f

SHA1
faadb07abbf3e8e59b2ee4547a63cedb146f3a67

SHA256
099145f6b90489a5ba71b65f3a706f10e55d422bf720111101418fb01abc3bc3

SHA512
9627eef41c38c65c557d97e82fc98ebd41a4c795906727877a58dc19fccd135cbd1077af4332518f45639044f61f6dc7bebaf286da575cd8baa9955632da1329

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads