31b954c856bcdd18a9f072cd1c2f14ff25977faa1db13025cc23e0b91773aa44

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c628e0a793b6ed7e4e848f266d25b0N.exe
Size

2.6MB
MD5

06c628e0a793b6ed7e4e848f266d25b0
SHA1

9eb16d96ff85f00a876060401de052362f024c60
SHA256

31b954c856bcdd18a9f072cd1c2f14ff25977faa1db13025cc23e0b91773aa44
SHA512

f4d0bb849e8d388e1c6c7583488ab28c7652f3268aa6dcd22822f2a6a1c1abe6e9e1867f06a26800f7900a75bdbe355ba89c78d57106be5107d5b3da354f6415
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpfb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	06c628e0a793b6ed7e4e848f266d25b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3748	ecxbod.exe
4352	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWD\\aoptiloc.exe"	06c628e0a793b6ed7e4e848f266d25b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYP\\optiaec.exe"	06c628e0a793b6ed7e4e848f266d25b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06c628e0a793b6ed7e4e848f266d25b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	06c628e0a793b6ed7e4e848f266d25b0N.exe
8	06c628e0a793b6ed7e4e848f266d25b0N.exe
8	06c628e0a793b6ed7e4e848f266d25b0N.exe
8	06c628e0a793b6ed7e4e848f266d25b0N.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe
3748	ecxbod.exe
3748	ecxbod.exe
4352	aoptiloc.exe
4352	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3748	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	90
PID 8 wrote to memory of 3748	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	90
PID 8 wrote to memory of 3748	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	90
PID 8 wrote to memory of 4352	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	91
PID 8 wrote to memory of 4352	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	91
PID 8 wrote to memory of 4352	8	06c628e0a793b6ed7e4e848f266d25b0N.exe	91

C:\Users\Admin\AppData\Local\Temp\06c628e0a793b6ed7e4e848f266d25b0N.exe
"C:\Users\Admin\AppData\Local\Temp\06c628e0a793b6ed7e4e848f266d25b0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\IntelprocWD\aoptiloc.exe
  C:\IntelprocWD\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocWD\aoptiloc.exe

Filesize
149KB

MD5
7a7053db5ad46ca97f84049caeb5dd82

SHA1
2611eb9455cf624bc3f1eb49b3c77ff8ac73effd

SHA256
f15941b1ed462520c6e443643a2473ba457c3ebeec2091035615add26e55a7e3

SHA512
79f8f47858866bd890febb2400dfe5e277ff72e1f4d69ed7620d3025118b96fe3951220a3c58e9eceb176a5bbd5f7fabfdb01ddae39f924f14af847e21b72ec4

Download Submit
C:\IntelprocWD\aoptiloc.exe

Filesize
2.6MB

MD5
650ce335a515cb2cf9fcb3c9f19e2267

SHA1
f53b9a337d8a6da619200a76fb0b98d4d25ea268

SHA256
1d00b1b028b40c75d833118829be4968cfe307aa56253bbf76db18fa4b803a42

SHA512
586465858eaa546b85b0cb07a44ea7b90319b57e4da199bb51d2bc7d19f825d62cd215e90aa6aa11e3de3bfb689d230a8a1cdad41dc0a941a110c5af047c6c43

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7338d03fd67dda2c902b5f138d010d95

SHA1
45fc1ea30bba4319bbb9f4a44c6766aef0ba543b

SHA256
025a1c3a704b46840fe3b52065102769fcea2c25167c2c7dfb42cc9fcc7ef472

SHA512
6ffb0cbc2a368483330b2d08e69b7a215fa0cebe83f53378914f472f60d5fade6b7aa1f4c12e7c94c32cb178b1dc44b9ea7a416a4335d309b11b2e12451a32dd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
957a38b25659cf82ddfdfc6d737362ad

SHA1
b56c6f76e56b9c64b66b57cae0ddca4592a76cbd

SHA256
1fe304766ee7084dd7603c7c7e3bfb12e05e5cfaf3ac5ff12302f34587dac31c

SHA512
16935cb8856d88e56baa6b2e2682e69be34f070b0ba2cb35cc78111fd207236ad77ca71de1f1814a13d8d28909010bce54cb989a15c8cbbe60c42d9b83a234b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
4c89c16bac0188875704195cded505c7

SHA1
eee99da81f1a2089a8ac00a41ad551dfd6eb1400

SHA256
fbe7e2c9cdb20db513db6ec8ca774ccb54ef6bc672e64e6c842e146cc94ee813

SHA512
5da17db066aa7bbd3bdbf986cb9b167978cb0bede5579969e4930552647d1aab990eab52e3da30110c019aee933cff4641e70a2abf20fdd7bb45c021f32add5e

Download Submit
C:\VidYP\optiaec.exe

Filesize
2.6MB

MD5
cccda81ccea39aa8fec57b951a2391b4

SHA1
36791da752a5ac49aaf849c6bfa7d443df2fd5d6

SHA256
1426f0824de167f0e53bd6cdf23a4446729f1f734ee92b7666b55c103f46a0f9

SHA512
60dc90b12876325fbede880fb12101cc734146f3449845a0acfcb4dc6eb7d633ec0fd9adec5d34cd3f5da07158576a597530f178827b7fb174ca5bc015b9057c

Download Submit
C:\VidYP\optiaec.exe

Filesize
2.6MB

MD5
567f682815a0d0d52a1f1989de82b40e

SHA1
4330f9c148f73d05b87e2a8a6c564351d82b61f0

SHA256
ab40d5b9dece3f2165669870e3bc9581a39cb6641dd9a9e1d33072a085435852

SHA512
52b77234f2acccc9647ab36ed1fd7072de6201f4fc383b0b2340eb5b5ed71ed2980d7a7919f504a5390455b098c3a7d9b7e14fdebb35da81c2a7411a0b80e2aa

Download Submit