348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7

General

Target

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Size

2.6MB
MD5

7bb120571c084e731f81c6dabc5e4dba
SHA1

0c23cb9cedec350ec95c55cddf203980f1b5238b
SHA256

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7
SHA512

a2280ef1c989c2900f1822f6fcefb6691821016d03421dc00de4b246c870d3739fea2e0627ce91e14c253a3a3e69889e80ed731b69fcdd368ed463d97713c9f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

Executes dropped EXE 2 IoCs

Processes:

ecdevbod.exeaoptisys.exe

pid process

4500 ecdevbod.exe
4456 aoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4500	ecdevbod.exe
4456	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2O\\aoptisys.exe"	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV1\\optiaec.exe"	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exeecdevbod.exeaoptisys.exe

pid	process
1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe
4500	ecdevbod.exe
4500	ecdevbod.exe
4456	aoptisys.exe
4456	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe

description	pid	process	target process
PID 1548 wrote to memory of 4500	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	ecdevbod.exe
PID 1548 wrote to memory of 4500	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	ecdevbod.exe
PID 1548 wrote to memory of 4500	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	ecdevbod.exe
PID 1548 wrote to memory of 4456	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	aoptisys.exe
PID 1548 wrote to memory of 4456	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	aoptisys.exe
PID 1548 wrote to memory of 4456	1548	348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe	aoptisys.exe

C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
"C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\UserDot2O\aoptisys.exe
C:\UserDot2O\aoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintV1\optiaec.exe

Filesize
867KB

MD5
91cf7cc5ca28ba27026cacd0b93a42eb

SHA1
996d51e2597471be5c4402971272cbfa49ffac64

SHA256
6a5377a13c7be7e884ec1b8f383e263ee02f224ca1db907223ab32a9f6098b6c

SHA512
150f47e9a037afbd4d5b5ba846ca0f3c274c61843fc26491417f8b4ad8fd98e6a459678f35be8d0516f25387ced04a592a27652d56b75e9b882c158c58047f20

Download Submit
C:\MintV1\optiaec.exe

Filesize
2.6MB

MD5
f40871a8a7fff29e6ec1ba6058b1c06f

SHA1
6843dcac082149464a509bf9180543103edc3240

SHA256
7d242dceb4fa59e5072755047b9c337b6d5e3bfbce3b9310ec1454d21d23d262

SHA512
7b9fd014cc523bb034679c31d60cae0b613099594bcb886845b2a1253fa13f98efea3699d634a0421eb3dffd2567bc2f34f20dd5a9932e56f7781ea6a1e4ba95

Download Submit
C:\UserDot2O\aoptisys.exe

Filesize
2.6MB

MD5
6600d037e06a6e711bd94e36e033b719

SHA1
8e4c1cb0d12c5362aac9f82a9e5b58e0c6fd7663

SHA256
12b92044bcca46c71402e24db78195b7772873f98a9235aa768ca57aae143166

SHA512
baf558d2bb764a742f2ad69c88b641cff188561d05e573ced8177c1769fe4a9b2efcaff383e79186b052a7fd31bd6568e1db656374d10e5c70d94bfcc4642f11

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
2364bdfe951d1c7597c6515aa745cd9b

SHA1
7c0cd576176de3879f59dcb7b54fcd5d053e071d

SHA256
f7d2bb64f010e0aa6f0609e04222ab95560a4f120439b3ac9ccbb02c0511db4a

SHA512
1428de5a1c268f70aa5d4d16372127b7cbad4291419432fec199166868bb80618961ec5fa3e46303e9c80e21fdf47cbed3a2b76f300afc874db3e27f8cc565df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
c3bd9d15528498008ce685bfb0011565

SHA1
b736c9432c1a986f6e60d566a4bb79e21ae0558f

SHA256
3b9fcc1e839f3e045e7880a233861bfc4b0cf1be46d14ffdb306ee0e2171f52f

SHA512
1e33960f4b5c43bfd54c3a76173d41a840693443c789a41b9f6e0baa7d588ee759b1c3bc866941b21f7c79030beb9e5ea5602ba7d6d55caedcd4c9884b283adf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
61acb3ead22514f2a82da11e123f95d6

SHA1
a69c7e69ceedbb23b826d640a2bccd7c95ca87e4

SHA256
39ee1d6072feb3986778a047efb399c171e06f39244bf9780e92f9298efb664f

SHA512
9a9046b33114e0990424eff5ef5b9f380eda1fbb4bebf665649134ea87c0a4e8db5cb6879565ae0ef9c3f613cac91530dbf81c4d1256c0b390b73a0197fb60cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads