14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a

General

Target

14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
Size

2.7MB
MD5

04909c033b4caaf00cf907c7f8cb7758
SHA1

3027118753d13ac8c33ea21e2e1ffc2e74651cea
SHA256

14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a
SHA512

9a27d44e2999b432338b7518839f522fd8a57d9bc1bfbfe11f126a93ef629b51c349874e393ae0aae0fd74dc66724bef25f3e4ca88bb62f471cec936db792a30
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBf9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe

Executes dropped EXE 2 IoCs

Processes:

Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exeaoptiec.exe

pid process

1644 Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724 aoptiec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidI6\\optidevsys.exe"	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE2\\aoptiec.exe"	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

4352 ipconfig.exe
4148 NETSTAT.EXE

pid	process
4352	ipconfig.exe
4148	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exeAdmin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exeaoptiec.exe

pid	process
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
3724	aoptiec.exe
3724	aoptiec.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4148 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4148	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exeAdmin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.execmd.execmd.exe

description	pid	process	target process
PID 396 wrote to memory of 1644	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
PID 396 wrote to memory of 1644	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
PID 396 wrote to memory of 1644	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
PID 396 wrote to memory of 3724	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	aoptiec.exe
PID 396 wrote to memory of 3724	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	aoptiec.exe
PID 396 wrote to memory of 3724	396	14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe	aoptiec.exe
PID 1644 wrote to memory of 1368	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 1368	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 1368	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 884	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 884	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 884	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 3676	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 3676	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 3676	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1368 wrote to memory of 4352	1368	cmd.exe	ipconfig.exe
PID 1368 wrote to memory of 4352	1368	cmd.exe	ipconfig.exe
PID 1368 wrote to memory of 4352	1368	cmd.exe	ipconfig.exe
PID 884 wrote to memory of 4148	884	cmd.exe	NETSTAT.EXE
PID 884 wrote to memory of 4148	884	cmd.exe	NETSTAT.EXE
PID 884 wrote to memory of 4148	884	cmd.exe	NETSTAT.EXE
PID 1644 wrote to memory of 1952	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe
PID 1644 wrote to memory of 1952	1644	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe
"C:\Users\Admin\AppData\Local\Temp\14ccc272c6e1884d610b57cc0f412d839e6b15917fbc0025256fd278cb3bbe7a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:1952

C:\AdobeE2\aoptiec.exe
C:\AdobeE2\aoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeE2\aoptiec.exe
Filesize
2.7MB

MD5
4576aa4bcac4e8e2c5d6f08a5c551213

SHA1
91b538c58dd01fe3bfc1a90b5f49105c53b2827a

SHA256
d9500278d356009ab3fbc62041b82b9590be238d4421ceff7a4f7d7c43ebdc9e

SHA512
9f9fbfe3c0f5bc6b05b517ca7338c135eb39f907208d8b79fa372f190759f1fb1893c94224f0d0825a67758ac14a33a505498321e9ad7c82bec0bac6917bccb2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
f403aec2a76b624ea99d2da2ed71b539

SHA1
e1a0330d0640ddaffdb7a4a397adcbecd9222253

SHA256
14b2d18996a2d8c28da546fd7d0f600344a281a4ebc709f90a6a107579decd07

SHA512
53d48c8dfd17ad567165cf40010c2dce11859efabb783c7b4b2c04098a6af265ab98f355d5bb80e29d9e1c3a11a62dfd65b87f6bd681a17802a297f9d6f245e9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
b13ce1d9600f6f8ec8efae480b9d469b

SHA1
eb7875376f543432a1243fed717b0608a88f89d5

SHA256
94719f7b395d7cc62a43f2d85f632e01768153bcdaab66501ce5c3cd1db6399f

SHA512
ba1c75b8fe36bfaca8ff4ef1551252171e0cbef299477be46c1d9bc5d93bc25e9b4139a2fa23164ca0c0d3be923dc859b7fd8f8e55e13ad582345b825fa9cd8e

Download Submit
C:\Users\Admin\grubb.list
Filesize
40KB

MD5
1989b91ff95180310031302cd1ea254a

SHA1
f41204a6a866e050adf73ee4395ace18d97bce9f

SHA256
02ad83cf641350872269cbbc2e7ecd61101b7b45d89a23bb9a3b3a4555461e48

SHA512
79b919746d8cd68e231d6c6b792123644d39379bab524e4d13b08a3d265833a5bcec647bec0731b41d03c98d41a0092920771543ac3daaa178fb7b21fb80597c

Download Submit
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_ecaopti.exe
Filesize
2.7MB

MD5
bc729c2cef134f820ad6fdb0c775d1bf

SHA1
9bb283d9f6899e42137cda232066928b2268c472

SHA256
9ad223955814a0aaaf322b4f06150ae663e1d8e3f1e0fea9eb601650092ef7c8

SHA512
09685cb55568bf1ea5ce380f6fb339686dddef2cec07d5d1a8b43238f07dc888b0abfad1f6265ac775c4c646b26a76ef6b70c98574ee027c6ebb15f5b174bf97

Download Submit
C:\VidI6\optidevsys.exe
Filesize
128KB

MD5
a284ea457aa009bac7ef109aca208b84

SHA1
e3d94a2c20c551edebd34f79666eb863c6930564

SHA256
563ba72b8265833d54a31533a5bcd2cfccf73415ec74e60665f704e82af643ee

SHA512
a078fdaf66c290cb773c12fed8317d1bc2a7853e2ee79360cd068d317fd05b8be1cd76b827337efa3e2cefa83c069111e13bf66d2bbf52436989b3abedad3f5e

Download Submit
C:\VidI6\optidevsys.exe
Filesize
814KB

MD5
a996f48667fc33b6ded6fd9352930bee

SHA1
26d64dfe03bada01864163bb0b9cebd0a2b99744

SHA256
2c986b938419f76bb1be5a691537b1ec0ab6e9383cbf29bc8f42203c266dc532

SHA512
7c7dd3d46112f54aad170d815a40179f19b99df7217cf00f1815702968f53bf3a1167bcbab6c7c7984fb83a1d3a9137957310c9622bee8bdae0f67a6956cc2b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads