d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
Size

2.6MB
MD5

b1c81d70257335c0342a9a6ede9b8d5f
SHA1

6bd7f3caf713753be6eb0804a15007ac4dcedc44
SHA256

d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1
SHA512

ef04232ce8bb25651da8d0a47bcaba561652c3503e3c74c4765c00d7582cfc955dc959161137ba6263afe31e8ac12fdb0bf241def7d4d5509e67cfe8b0b19cc4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUp/b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe

Executes dropped EXE 2 IoCs

pid	Process
4568	ecxdob.exe
2948	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKD\\aoptiec.exe"	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJT\\boddevsys.exe"	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe
4568	ecxdob.exe
4568	ecxdob.exe
2948	aoptiec.exe
2948	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4568	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	94
PID 244 wrote to memory of 4568	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	94
PID 244 wrote to memory of 4568	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	94
PID 244 wrote to memory of 2948	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	95
PID 244 wrote to memory of 2948	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	95
PID 244 wrote to memory of 2948	244	d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe	95

C:\Users\Admin\AppData\Local\Temp\d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe
"C:\Users\Admin\AppData\Local\Temp\d8acd3a4d1c28c0e3e475cc6f59f7dc9adf59535b091ac85ded68ab0628d5fb1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\SysDrvKD\aoptiec.exe
  C:\SysDrvKD\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJT\boddevsys.exe

Filesize
2.6MB

MD5
d7de3d4214dafa5916b3793756a853d5

SHA1
074479c9d97495883a0794cbd33c713079338c0b

SHA256
931383ff0e40274694211372268d172fa51cc4c0325dbcbda3ecb1c32200ec53

SHA512
0b281e1b421c591dfefb38152b1bb9cca3efaf8481047ee7738b4f2d66271c08eee202d47d50797ad688011615bf2169da171e4a36d1879fdb459fe92bbe6aed

Download Submit
C:\GalaxJT\boddevsys.exe

Filesize
267KB

MD5
4e09a74b3b7075c34914ebcd1c29f8c2

SHA1
56833708d00128632f526f0a1ab80d75eb76be25

SHA256
d5ba98f14c37fab8cf697f6f50afbc26c96d0aee1cfe056ffb31b48abbcbac4f

SHA512
e7739653e03cfad15a48b4c334cb97a9629952b82e0f2a5cad346d80342bf39da79ec3d69f5aea20cbf395afd8280b5d3d103ed4594649c0605c0635e781295e

Download Submit
C:\SysDrvKD\aoptiec.exe

Filesize
272KB

MD5
b5dcbf96b900f6779a0539b3d574eb30

SHA1
95a21962947606ff5c5843fef7c173cb32a4d78d

SHA256
04b24f42cccb17e708c36acf1935aa686e6ffec85096e49ce19ff849cd884143

SHA512
bad821ff363760d8e1bc41164432c5b2453658309155e8963cd5078c1da95068a07cb0bb1bb8b097791ed2fb17847b564319b0522b991439365d2ced2599f03e

Download Submit
C:\SysDrvKD\aoptiec.exe

Filesize
2.6MB

MD5
3747b499623d51defddd75fbcb13139d

SHA1
9cc57384721993d622b55309880baced1ead7d52

SHA256
47bcffd1564fef00d84b27a2db655aa7887cba5115ee2099c5e87092a11eadd4

SHA512
07a4324fb481bc0d11d26f0291d5ec528c151657e727db5bfbd3214f4e885c257d6397a4c4481c526c4f69a1f7ef669e1f3f132ca245e00aa498fe589a3f6c36

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
bd331c3e6725f69b5396d00b3a908e16

SHA1
d95e2b9f4f2fd8fd4ca1dbed34f57723b1a87959

SHA256
90ec423eed7eaa0a13060f3beef3004ba0e71de11639d596491eb59156d9f737

SHA512
63e3bbad67950dea06494b5039220242c084795af2f6fc4ba86bce09fb5883d7ed2ed0db60f6aa9b086aacccb554432f96f1f6b15d7e7dca2f6d0cd0f1d04c44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
05bb073b03d8b1991f6214aff7ac9a70

SHA1
1a837ae3a54ba19d6dc6a56070edccd536870e38

SHA256
8adb423295c90d790f15df4aca41beb36ed1a7d94cd3309a4b2ca05685cc7241

SHA512
7b97d6beef03b0679a3dcace551eea8bec7f98ce66f09dd299b8bb81e5d01183d718f2e850e6cc703a6ef2ecaaea98ceb02ea3d1eeb46bea1130bc9d044d5fa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
da2c1a3a48e7849aee35f2e165c12a11

SHA1
c4d1e9e89cf4521e65a8a040985abfc72368c7b4

SHA256
d0a07439009a4fba5b4f43db68a0efac2bf68009462563271fd6b1f338f4d0fa

SHA512
8fa4759abe949df9a726ffd1cda966bef608069fd61f53dc1eb9a43950415d957c3253a9e1adc9c89f78710b81dfb073d1844c30d35fed0ef7900d4e5b366fab

Download Submit