e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f

Analysis

max time kernel
154s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 04:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
Size

3.2MB
MD5

7506628eff57c4550b13f728346aa486
SHA1

32ce38be91f0d7e2b230a1946c84a02e05f7076a
SHA256

e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f
SHA512

7d5f548d9e701be1285515c1369e876443240f2071cc91b27bfb0cd8274005caa571f67608bb72b7bfedf5508dbffdc43e8f0dba19c574e363d40d03b06d07be
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpA7bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe

Executes dropped EXE 2 IoCs

pid	Process
2880	ecaopti.exe
848	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDB\\aoptiloc.exe"	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAH\\optialoc.exe"	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe
2880	ecaopti.exe
2880	ecaopti.exe
848	aoptiloc.exe
848	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2880	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	91
PID 4616 wrote to memory of 2880	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	91
PID 4616 wrote to memory of 2880	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	91
PID 4616 wrote to memory of 848	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	92
PID 4616 wrote to memory of 848	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	92
PID 4616 wrote to memory of 848	4616	e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe	92

C:\Users\Admin\AppData\Local\Temp\e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe
"C:\Users\Admin\AppData\Local\Temp\e21d3d7cf1873c060f90abfe9e487b553996759fe68840e642044bec8efa975f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\UserDotDB\aoptiloc.exe
  C:\UserDotDB\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAH\optialoc.exe

Filesize
3.2MB

MD5
a0196307dcd9d5fdd60fa1caf1fc3f44

SHA1
4818ad00f1fd0a14993b549fe820f98ffb6305d1

SHA256
d6cc5934c56af1b2cb364b9b720b519e69cacc17479f4e24dd707974693de25d

SHA512
e708939e9e97ff1f553def15e53144beec4b55253f057c25e2a79c617caaf15ecaf2cafa6c377b85e19a44c5cb79717329dd8868789565c26889eefdc03f9a1e

Download Submit
C:\GalaxAH\optialoc.exe

Filesize
3.2MB

MD5
5193dfad4e987bdc7e15435a76ffc904

SHA1
e7f314592f0d25463cd90fbe0a0a17527526e41d

SHA256
96bc3d31ba6b277751563d544133fa9b1df4949f4a12999aa5e094be3ca0dbc1

SHA512
7f766429b7a992af588c5156c6ce8ed44e1ff8915db3611e6b6998f0cd2db02e30a74ad1e18dd8adfde7486a8bf2b486247c7da872cdc68dfc5351395a68a8d7

Download Submit
C:\UserDotDB\aoptiloc.exe

Filesize
3.2MB

MD5
13de8f40e0f705f58e5c7984ec2c00bc

SHA1
9b5eedb4b9ed2605317ac55e3a716427750e1df6

SHA256
46bccb1f16e57d212a9e7068edb11925e339a6d6c36acaee0609a7112e57c111

SHA512
b979714b073cd6936cb704295f6f07d670162fb856a838c9ed275caaeb60ad646638ff58ddb301d3e8d5fcd8b0472a52a49a4bceef6108d80350ab32ea8e4721

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
674ba35d1f5365afa4e92877e8502a74

SHA1
a76d39a654b4c254da8031a2f35f400649b20e1d

SHA256
a0bb3574040d1e8df1f6033e01f76c90c2e7a8677e4036ba482ba66bdc92d13a

SHA512
63cac00416d8113f1099a383b560454a595951d553dd0987ffc7f036360a73ec9f8a83016932ef3d843ba0bfe1985fd3d4a55fbfe4ff847a289673a14db4bbd3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
563a1ddf40587e34cffd4c5edeb81f16

SHA1
c2733bfb91473cb77c41ff554cbb06ce16bdd97f

SHA256
c7f6b848a5fe8dba1f2bcc81ae0af5d1ab5408874ede70f4215bf9069c41ae3d

SHA512
70f452c4b2434490bd87cabe9e9ab26392b581f78e70ed3098896dd81f70093a1f6bec382c01411d15180417ed35a686249d2cfbbef4266d8615278e960089a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.2MB

MD5
6e95f341e0d5a5ef23dac3f022778db9

SHA1
0fbed0c178f8930f272db9c6a46ca1ed96ba7fed

SHA256
8c455041d907e643b6847d9c43594ccf5def8966c64fc029af61b706696a4991

SHA512
c9793c71f174f386815de521cd9bae245e8a15f9552e7436f64595030817a9df5943c1ec5b9decd4ca1e185bb8147a0cc65e1e3ed72b05f281d4d67ea7d94a02

Download Submit