3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
Size

2.6MB
MD5

8141c1fe0804585aa560ad12d792015c
SHA1

222ba96a6c9053553ab9d3220b6f2337482ab859
SHA256

3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba
SHA512

1b588df6aec944a9b5396158b2ccdc5c281f5716643bf374d7d768e2b4157e97438e6ec209c9d79f09f2e9870e961f43f4949b507cf23bcd8999da691a7036bd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpgb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe

Executes dropped EXE 2 IoCs

pid	Process
4348	ecxopti.exe
2340	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJM\\aoptiec.exe"	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB23\\bodaec.exe"	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe
4348	ecxopti.exe
4348	ecxopti.exe
2340	aoptiec.exe
2340	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4348	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	86
PID 1468 wrote to memory of 4348	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	86
PID 1468 wrote to memory of 4348	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	86
PID 1468 wrote to memory of 2340	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	87
PID 1468 wrote to memory of 2340	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	87
PID 1468 wrote to memory of 2340	1468	3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe	87

C:\Users\Admin\AppData\Local\Temp\3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe
"C:\Users\Admin\AppData\Local\Temp\3bcbbf53f0666b927d0cb4e2e2cf26756c08532047cbd4fd90f44cb9974951ba.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\IntelprocJM\aoptiec.exe
  C:\IntelprocJM\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJM\aoptiec.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\IntelprocJM\aoptiec.exe

Filesize
2.6MB

MD5
0b0a7ac4c534246401d0d26dac21a4e5

SHA1
74df88b5d99a8e5013659310d5c643f8ffff1114

SHA256
ccd7c3a9325f2611c7586857026271c63f3ba260cc5f186468a70743db6bb6c9

SHA512
93bdc062392d7898cd525dbe556e01ff7f1cb32383edf1b672dd7b881c4f377314d4a0552342b7fdc2fca732498464f10fd8509a01054d2179406a8459599ebd

Download Submit
C:\KaVB23\bodaec.exe

Filesize
2.6MB

MD5
1dbd3506c8866f7fcb8c09ec67de8f7b

SHA1
b5da95bf94763b048eb8ad6023b92ef2b6370aa4

SHA256
a4a9bbdc759984c0c691d1f6ad0c608f7edd86f200cc07791c5367c0e554dfaa

SHA512
e1c8f9d52ad9f132eae4775e487d68dd55a533b7b3d118d98a53c6e32e09686247712ec7ca6cbfac83c9aeffcc612dddc4183fd75ccff900982d99a5827e7e0f

Download Submit
C:\KaVB23\bodaec.exe

Filesize
706KB

MD5
add85d9f7fd7013d0a410f758861ca18

SHA1
7e67d824620493b7d50e8b26f9c3667b5b5c0234

SHA256
0f3a897c9d177aa6db908561a96db4113d0e62ea675e0886243dce2bc2f15967

SHA512
96b2aae49f3a59ccb354e02c9479250e38ec2b8d57f6d5963c030251bd461e728bbf5a7cfc07ba3fe93f7fd0a9d41fdf9e0b94762272637e2a0efb1714e997d5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c0dd17c8481f2e4bb4e5a99d12baaa71

SHA1
a1d6796e48767430fd2ed219ccb1c244cc3d0313

SHA256
1096f36ceaab1aa2d09612b5e903912b192c3310256da499c769f4d6830045a7

SHA512
3aa83f40cc5cc0c667d4edbea28cc2147059cf2cdbabd484a5d5902bfe8f65e77d566914e101987fd88fc16e0787bb0b9f248df838706d66e9450f10b662c986

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
d68f0949526a624c2a04ae148ec2faf6

SHA1
9c644b7c72d718fcbe8d44a47dded28a099a9585

SHA256
5b4804f1c63439beaad320ab3b50572f5fde03b1a7d1445e5334f434c5d05951

SHA512
be4b109b4f2f9ac07bda2dfcf9a5787653cfd0db6f9ede07c0b2ede9a661a737f11a086cfa82d669d8c1cd29511b6ca6e48e5357279094afb39f863d2588ba83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
e9dac94018bd2afcb8713207a3d7c3d6

SHA1
11bf2968d34a575f2092592ce34f1fafbc0a7916

SHA256
dd4ddb3f70b9f0d9a663008553878720a7a14af371d6e43c0b1bd9e8190cd441

SHA512
44f7eb6e13209eed134c2a6310f299ad5c5409a80fdf19d0f1dc9a3f7d7e2100576a5656a8482beb14be8a620bd1c709f38bd9df9cd6ce62d8df248e79482e09

Download Submit