69ad4341c4497360116400bd5b38866323be3396bf57737fe067c8e93942fa8e

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049a1da796b9c1144ec44bfa9a5cc200N.exe
Size

2.7MB
MD5

049a1da796b9c1144ec44bfa9a5cc200
SHA1

1f0152b3ad829d7318a9a6884eeb0d60ecbd16c2
SHA256

69ad4341c4497360116400bd5b38866323be3396bf57737fe067c8e93942fa8e
SHA512

6674da5d8f139d6588ac25d1de9c53c901dbdd1ed1e66924c81555d89261f9eb2c32ba4ad171c8621143d2660b140fd7107eeb6342a4c9ba8b2407a2e79b4ee2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpIbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	049a1da796b9c1144ec44bfa9a5cc200N.exe

Executes dropped EXE 2 IoCs

pid	Process
4644	ecxdob.exe
5088	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBY\\devoptiec.exe"	049a1da796b9c1144ec44bfa9a5cc200N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\optixloc.exe"	049a1da796b9c1144ec44bfa9a5cc200N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	049a1da796b9c1144ec44bfa9a5cc200N.exe
4348	049a1da796b9c1144ec44bfa9a5cc200N.exe
4348	049a1da796b9c1144ec44bfa9a5cc200N.exe
4348	049a1da796b9c1144ec44bfa9a5cc200N.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe
4644	ecxdob.exe
4644	ecxdob.exe
5088	devoptiec.exe
5088	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4644	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	86
PID 4348 wrote to memory of 4644	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	86
PID 4348 wrote to memory of 4644	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	86
PID 4348 wrote to memory of 5088	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	87
PID 4348 wrote to memory of 5088	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	87
PID 4348 wrote to memory of 5088	4348	049a1da796b9c1144ec44bfa9a5cc200N.exe	87

C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe
"C:\Users\Admin\AppData\Local\Temp\049a1da796b9c1144ec44bfa9a5cc200N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\SysDrvBY\devoptiec.exe
  C:\SysDrvBY\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintIS\optixloc.exe

Filesize
22KB

MD5
e4c3b64fcedd8e2be082125e0287c8c2

SHA1
e6b71826979f9d40981780fe8419f7c9b79bf83c

SHA256
ba35a7794c7b3437fa887553308604c897996dc320d4789f8ba4838d1db5da7c

SHA512
0e8954077f47610919e36491a6c0d672d0a7c041f7ae8269b389612195dfe659cdabcafdbea40afc4e1d1dbfce766724ee826f776efc650dafa0f52ae350288a

Download Submit
C:\MintIS\optixloc.exe

Filesize
2.7MB

MD5
cc209054964444bee419f13f0ea72ca2

SHA1
18a7d30b4bf7677d5c5d323a3969f05cc1e4c845

SHA256
c72346cc460fb37fbfe7042e42652399ffc5a0f5e44bbe2126cf7cc2a070bce1

SHA512
ffb64121f63db69d6696d2fd9544f8a190b26a867f038382e5a4a9865ec0b3424d4750669b8d5d1f9071f0dd742a4fda28c0ee0c5d5de172e1f125dbb750add4

Download Submit
C:\SysDrvBY\devoptiec.exe

Filesize
6KB

MD5
0860ba7ab87e6dbf893e728aa4621778

SHA1
6296ec6dd59bc3b8a68b647437f788d3632c62db

SHA256
dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

SHA512
6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

Download Submit
C:\SysDrvBY\devoptiec.exe

Filesize
2.7MB

MD5
5956ff92f09b4f91c2a45393cf889a58

SHA1
df68139238792bc06b2625795930f362dfb89f0b

SHA256
fed0f9bfd52bd142673a63e13d4e90f1264fcae4bb02c21af1ee6bea109847cf

SHA512
372d4e1767c60828756ed71be8321953d81eba1df3f7094d959385cc5d5941f1202f334246b017ef3f94ba5af9c85f84a62765ee176d00078fd0072e18feb378

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a29ebf75d02aeb6b8c5ae3fcd4bc1260

SHA1
a5fc5b6bc5f0ee19ab8f8bc61dcf7af6c241c301

SHA256
26845287c113a40d0ef12e012a57838a7477f5f435164426073071d405065f2e

SHA512
e7fd73204f1860742294d4a01f8d2cb8ac68f90039fcfe56dc04f3493a660c5d31b85e20849b769ab13dedcd266e46cf916cd87acb9c826af6f8f73140c3046a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
754099f25313669e3d1f074f32ebb2ac

SHA1
e455342153ab6d03b4084c5c387ccc9acaaad2a7

SHA256
828380bade6864a3a010ca270de0858ce99f09536ffe7f8a129c77299a395fce

SHA512
a0a6a9e4043e970d9292bf5d8eb0184f924c0e7581a6e3d8886e27f7320d651f3a146ea562fe6f6e76762782692cfdc9c87caadaf7029bff9b2382d31bc971f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.7MB

MD5
107c2a6ace15afdc0987517300c03ac5

SHA1
6ccd4be147cc94377a112341d6ae099a8c615238

SHA256
d814379293543d1ac83f99fd670bd52f5d902d443f33d1d7cbe39fae9b0de0cc

SHA512
3f21f62b378173de0c2a8dc144d82fbf42071d9b8f9cf74d2c4c6ad04186543e2844f8edbaaa1756d28028ad9fdfa22f230b5fb9a7239f507d5fd14da61a6109

Download Submit