69ad4341c4497360116400bd5b38866323be3396bf57737fe067c8e93942fa8e

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049a1da796b9c1144ec44bfa9a5cc200N.exe
Size

2.7MB
MD5

049a1da796b9c1144ec44bfa9a5cc200
SHA1

1f0152b3ad829d7318a9a6884eeb0d60ecbd16c2
SHA256

69ad4341c4497360116400bd5b38866323be3396bf57737fe067c8e93942fa8e
SHA512

6674da5d8f139d6588ac25d1de9c53c901dbdd1ed1e66924c81555d89261f9eb2c32ba4ad171c8621143d2660b140fd7107eeb6342a4c9ba8b2407a2e79b4ee2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpIbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	049a1da796b9c1144ec44bfa9a5cc200N.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	locdevopti.exe
2784	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	049a1da796b9c1144ec44bfa9a5cc200N.exe
2196	049a1da796b9c1144ec44bfa9a5cc200N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4T\\xoptiec.exe"	049a1da796b9c1144ec44bfa9a5cc200N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUR\\optiasys.exe"	049a1da796b9c1144ec44bfa9a5cc200N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	049a1da796b9c1144ec44bfa9a5cc200N.exe
2196	049a1da796b9c1144ec44bfa9a5cc200N.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe
2356	locdevopti.exe
2784	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2356	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	30
PID 2196 wrote to memory of 2356	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	30
PID 2196 wrote to memory of 2356	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	30
PID 2196 wrote to memory of 2356	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	30
PID 2196 wrote to memory of 2784	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	31
PID 2196 wrote to memory of 2784	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	31
PID 2196 wrote to memory of 2784	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	31
PID 2196 wrote to memory of 2784	2196	049a1da796b9c1144ec44bfa9a5cc200N.exe	31

C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe
"C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\UserDot4T\xoptiec.exe
  C:\UserDot4T\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot4T\xoptiec.exe

Filesize
2.7MB

MD5
94b3745f9a5b92fba284ddd8e251669d

SHA1
b57dc09f414680869aaba100a39e7d5b8faa6efb

SHA256
a188ec341b45bbccce3380582bc0438c4a0670b47992bd7081c41ee448758474

SHA512
135a78f9ae4a7806cfabdcc73a0ee3d75342e269ff2da29e904e594e827a08f1dbbc3b2ac8e6c2a0c0542aa7e1ecb1649feb588c5b50bc63c8d44ad03cd04243

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
933764321f3bb273c69dcc0019b184a2

SHA1
63afdbd1c6153a9d77220b09c17fa6b74f61e6aa

SHA256
ce175b6b5fecedde4449ce18e11dfefe37b7ec4aee10a4edc419930c8c44b04e

SHA512
92aff4bba9e2dd9aeaaf145cda82fa9503fbfebcee8913451f1db06a5419c07ab619ec65f69bb4955b3ee0a709537b7e4793d1a1e950621aaca65845b82155a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5f6b97f7f15f224bbc0c6797030ef859

SHA1
5cc07915f13069d77bba6087b73881a9f50ade7e

SHA256
b24bb029195474a32d6e4228140e9c0bdf1c25e22f188b238191c9eedc4fa4af

SHA512
21097de3befcf81a3329667f31ace3b6c0de38c2d768f11f48c453eabc92cc12cdaa19a016de6d86c80e43823143465c554c4e4ac136a1c125fd9de327418fb5

Download Submit
C:\VidUR\optiasys.exe

Filesize
2.7MB

MD5
9b59c3c6ab20115cb62d000918891af3

SHA1
3d84415fe0c9a2f255928d26f16184f420b756a1

SHA256
76ba1ab9eb1c034f678ce5d9be320ba06a5e962f2201b93024401031e421b3a7

SHA512
01433b4adeb73ad60a49cfd291c8c30abbb79caa05ab2d7d429b7b4a8880535ed6b0836cefe9eb58d8f94ab39d84fa850209aa32f828036587cfd582c1c2bf03

Download Submit
C:\VidUR\optiasys.exe

Filesize
2.7MB

MD5
ef7430384171f88fcecd675e92a1a4db

SHA1
9c8b7ba164a63324e4b2fc5678ba79283d0f650b

SHA256
44fdfafbaca9a42675aa8f275f38609f783a8508e7f2202515a2c9a77542cad9

SHA512
463f00012e48dfe325f916de6551f8666795c96fbf51598c291e2447c266e8a43cec0b69845798d43de669175f929c714227bfce414f0c6ddec9acd8d1e50eea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.7MB

MD5
8139d06a9593f4888b3b4df92ecdb47e

SHA1
2b1d3b41c0e710a36ec1956546e02c13bd2b70f7

SHA256
d86083c16ccb1c0bb1fb4ce5f1a13448949a197861cfb8f581715e5bcade2707

SHA512
32608ca2dc3a02d64f47ae6415993d8627f46bc7b46ed21d82196ff95c9f60ddbdab0bf6b4a5339bb7557c0027e984ba5cec92c4c26c7ef28c54b97280eebc65

Download Submit