10ba075df6e7639a4af6492c0c5cf6cc97aee5b165d56ec124cbbe81dabff288

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e8e19c8644b1381121f014cadae8460N.exe
Size

3.6MB
MD5

7e8e19c8644b1381121f014cadae8460
SHA1

672d88944b19af0c0b8216fbd4b41388850b0957
SHA256

10ba075df6e7639a4af6492c0c5cf6cc97aee5b165d56ec124cbbe81dabff288
SHA512

58a0fe94bcab66ba63515072dd174d195f369a4fccf010d7efb46f0efd4e07441b427c9fee54a707a767ddd9cdbd484bf7ee17ea70f27c9d0e39e49af7444de2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	7e8e19c8644b1381121f014cadae8460N.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	ecdevopti.exe
2412	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	7e8e19c8644b1381121f014cadae8460N.exe
2308	7e8e19c8644b1381121f014cadae8460N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEZ\\aoptiec.exe"	7e8e19c8644b1381121f014cadae8460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOM\\optidevloc.exe"	7e8e19c8644b1381121f014cadae8460N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	7e8e19c8644b1381121f014cadae8460N.exe
2308	7e8e19c8644b1381121f014cadae8460N.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe
2344	ecdevopti.exe
2412	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2344	2308	7e8e19c8644b1381121f014cadae8460N.exe	30
PID 2308 wrote to memory of 2344	2308	7e8e19c8644b1381121f014cadae8460N.exe	30
PID 2308 wrote to memory of 2344	2308	7e8e19c8644b1381121f014cadae8460N.exe	30
PID 2308 wrote to memory of 2344	2308	7e8e19c8644b1381121f014cadae8460N.exe	30
PID 2308 wrote to memory of 2412	2308	7e8e19c8644b1381121f014cadae8460N.exe	31
PID 2308 wrote to memory of 2412	2308	7e8e19c8644b1381121f014cadae8460N.exe	31
PID 2308 wrote to memory of 2412	2308	7e8e19c8644b1381121f014cadae8460N.exe	31
PID 2308 wrote to memory of 2412	2308	7e8e19c8644b1381121f014cadae8460N.exe	31

C:\Users\Admin\AppData\Local\Temp\7e8e19c8644b1381121f014cadae8460N.exe
"C:\Users\Admin\AppData\Local\Temp\7e8e19c8644b1381121f014cadae8460N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\UserDotEZ\aoptiec.exe
  C:\UserDotEZ\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotEZ\aoptiec.exe

Filesize
3.6MB

MD5
919f782a97a0e273ffb36b7bf0a71751

SHA1
125b01a7dc6f920ee9b8fa29dcd76b90adef7973

SHA256
e9b9d5cefea05adb9904ff9cfb9da94f58e48666c8c21ed91dc559ac89439d5c

SHA512
5e236af65d934ee0df75b829613fcaffcf1e9519d0372482ea56dd07cc674042a879de62e3b1287e8506c215470f9cebc23427eb303ed368aefa913b3fca5265

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
a42f8ec88a35fe3302deea40b42ccf6f

SHA1
47826dc37a8ed578c1873cfeffd580c80d990f6b

SHA256
3cdeaa349b81a14ce74fb98e50cee0d90f54fcc08bbab0cd6984090c1cfa1cf0

SHA512
01f0f5a092e0a80ca0dfe41d828b42faa9f1a4322dce56b015ca884c178ba86f814ec0fee91860f58bdfc6945cb32947d5c20aae7d85d3af9cb98c680b208e7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
040ad9608fc8ecfa178f1711c782dbe9

SHA1
272bf5cacab194f125f2e22013eb83d0c1ad3187

SHA256
879ece266a5181e0df0dd2468e9a8eb174c6976c2ab36d98afaa380afdde8daa

SHA512
a38d82e8275917f22a63ed696349b3d2993a9b1478d526cf64bfe7ef31f729122413535f4306cca071bee09a46c430c7d99138a846ede429c850ba5f405b2a4f

Download Submit
C:\VidOM\optidevloc.exe

Filesize
2.1MB

MD5
b1be8f64a82ae0444285b2ffddcbce72

SHA1
69e09712ad4e64f5010b3478e8d5212a0b1450ec

SHA256
63d8bee817a3e438d0b08cd8318b0923eff113ce8846f5253f80ccc8cecec8ff

SHA512
7602ed9aa9fa24f4f6ba9a848d3b11da1e20d3aec514cc74754ec9073caf8495d218c0994f172f381f86717f5db4e2b758d54885decff76b42200d9106ff2bbd

Download Submit
C:\VidOM\optidevloc.exe

Filesize
3.6MB

MD5
7792b46e938ed5294dfc8352d246c99f

SHA1
d0b363c9fe1c1baae44c46c356e5840a73674dce

SHA256
e14190f74fc5a30d678d708a2ea1bdfb393d24c25b7f5b4a5a3b5b815f2f573a

SHA512
bcf39b56fb59f1c8218dbcfe1e4d33f03f82531577f9f8629b093a7c0450dbb7200a97ca29fd2a2beb5ea0dbf10da879e4a01379fe2c2c857e1523dcd392e15d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
eedb9bcc9cd5d74dcdac89446d8405c7

SHA1
1c2acd8486d09a385ca38c8647eed9477640614e

SHA256
88678e8152c7a906b02ffa9b209d925c6725188d0692a2d49fc6871087008069

SHA512
301856061de8af5b925b7e3ae93d80638224a204c5cf1820007d714048ee600d4ceb4a85fbcde09a0ea5f5f5cf612b8157c1322c415003292ef7cc45cf15550a

Download Submit