32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
Size

3.9MB
MD5

6d6b115ac5af96c38912354c84f72f12
SHA1

6404ee58bb256ee4aa657ae9ce06169bd7138f0b
SHA256

32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2
SHA512

efd2c7869ca24082eb8502e59192ec6ae35cb2528056f8ddbe588f717107d3b2a5716f4a63d032695ac119da4e1e10fffbe3000c86dcfc69daa847bba3a9dec4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	ecxopti.exe
2260	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNP\\devoptiloc.exe"	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK2\\optixloc.exe"	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe
2524	ecxopti.exe
2260	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2524	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	30
PID 2280 wrote to memory of 2524	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	30
PID 2280 wrote to memory of 2524	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	30
PID 2280 wrote to memory of 2524	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	30
PID 2280 wrote to memory of 2260	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	31
PID 2280 wrote to memory of 2260	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	31
PID 2280 wrote to memory of 2260	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	31
PID 2280 wrote to memory of 2260	2280	32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe	31

C:\Users\Admin\AppData\Local\Temp\32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe
"C:\Users\Admin\AppData\Local\Temp\32185053da33cd2fe9381ddcd9389a4d3b7409fb5d3cbab99bc72defbddebcb2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\IntelprocNP\devoptiloc.exe
  C:\IntelprocNP\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocNP\devoptiloc.exe

Filesize
3.9MB

MD5
9d5acb17a1009beeccc1189a5aee003e

SHA1
47a04b2da46b1d03685860d67ebe6c86343c32a6

SHA256
dea9aafb855e8c9dce3e02c581295c2e19c739ab0f450c8c6e0584614cbd6479

SHA512
07f5f2b10c98caea42a7cad19ddfe1e2e930458c0d7757c97c61d2f680b7507db6c8c83c44cd9c707b52e248bc92ef2ede172cdf76149802eb5917f8cb3bc499

Download Submit
C:\KaVBK2\optixloc.exe

Filesize
3.9MB

MD5
9ce18ae20ab163e1ae703eaa098808c6

SHA1
2ae550e0fca297827d8adf3fa8c3e4a7cc477398

SHA256
d78e966b9c49cbc2f7129cdfee2a211f752a02c24be8200734517796ba4e1c4e

SHA512
66449e7e1e2a52f1cbcc58dd60e7bd7a92345654a62a97f1f0c82d9d598e408a5074cc42732cb0c24bd0250c50fd01f787f784f1497c612930b3cea13afae7f7

Download Submit
C:\KaVBK2\optixloc.exe

Filesize
3.9MB

MD5
668e1d0fcbae60b841635176bc97a3ff

SHA1
6e418dd624941b254602731d3a148746b77a184c

SHA256
c93e137afba3bbcd79c89aed9069f8d1ef091960621f05dca4bcfbc844f3d3c9

SHA512
9cf9c56149409b0e7b4214101275f93d925f2ec5dd24e86854e19b3c44ca2ee121b1ae4e57bf1f43aa92123a51f3f11fa0eba10c1eedd5d59bf1957524842e57

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
12be035fe8f6ddf67a6de8f6de004b5d

SHA1
52933a1ec9b28bf98c0b577ca036fbc9b59195ae

SHA256
9b2912b8da70a2a3f632759da74781247207b9a1b27c20edb2c8ee05f2cb7e23

SHA512
4873fa99f60e607012a94d4b23242fc4917ef8e0cd88dcf7381776b9786197bb216f72a601e1104065669488e5f270a7651ea176c28c0878a2d0212279957baa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
9257cc075b8c24f7c425d8ba84056e1a

SHA1
43d67de025b03fbb89d47b1b699f437fa9131366

SHA256
591a88961d67df83c1f3c16f5a526331d4ab80556b57bb821bf4170c837caae8

SHA512
1b3d2a1871ce1b133b3ef9d47803e94ccb3bb7ec8e6ba93bb1b85c6d7f229c504ba88e6771cdb06d2df6fafcfad16530d94f028875ef783af8a624fb9d1f5c77

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.9MB

MD5
70fcb397328b1f617d5daf46b48649e6

SHA1
8bb02c329eafb427d269990aa05a209d6de2084d

SHA256
ee05560be651d261e30828ffd40707e748f86cd1b75a97d2901ada40bb2657fc

SHA512
ba6f8c0373686ec3f03fd77f32629f63a0d635d7065f2d9fa5ed524d361bffbc7c070dabea083e09430f1e3976cd81ad5430186a3f3c71d6de7b62f9d037bae0

Download Submit