bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
Size

3.6MB
MD5

82c757687e2c03cd317f83ffc98e13c1
SHA1

35a903af927105d32598621561caaee18181ac99
SHA256

bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325
SHA512

07d0e8d5971175f0327e157d585763b91ebce46f181f4f88016ce632a173c793df6b19d3c5c89143f0641644d5c45b712c325c89856d24bf1c30077633c090ec
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpNbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

Executes dropped EXE 2 IoCs

pid	Process
4684	ecxopti.exe
2264	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocO8\\aoptiec.exe"	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQ4\\optidevsys.exe"	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe
4684	ecxopti.exe
4684	ecxopti.exe
2264	aoptiec.exe
2264	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4684	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	89
PID 1056 wrote to memory of 4684	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	89
PID 1056 wrote to memory of 4684	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	89
PID 1056 wrote to memory of 2264	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	92
PID 1056 wrote to memory of 2264	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	92
PID 1056 wrote to memory of 2264	1056	bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe	92

C:\Users\Admin\AppData\Local\Temp\bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe
"C:\Users\Admin\AppData\Local\Temp\bc70a5497f13e945fedbdd4b4064fc7e8e7964be05be01d7dcaaed0c9b0f2325.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\IntelprocO8\aoptiec.exe
  C:\IntelprocO8\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocO8\aoptiec.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\IntelprocO8\aoptiec.exe

Filesize
3.6MB

MD5
7207e0bcaed73593c09a0d1a614820ad

SHA1
b60849b9fe827c9b2c9650df1559919227b5410e

SHA256
f57c21dae2bab1a6233fa5c220347c5d9483b35cc9b8e045315bdfaa91754918

SHA512
e8acaeab67be45132cd20b79c7ef7ffdf195eefe6f7cd6f9599b7a14826b7b473d33b457b395e23e9cc7f55864cb2ffd510c7447303345aed8657c813a6ccdef

Download Submit
C:\KaVBQ4\optidevsys.exe

Filesize
3.6MB

MD5
f365ecb8c335dc4448d220d10cf42a2e

SHA1
a56c4b8ff514efd2341269bd8f19e6abcf7fd8d9

SHA256
e4b65948d12cd41d27bb681e81078f96a46ce0f51747a49854d7ee35e6e04214

SHA512
147080afdd732a2d59bc681954551290373571130dedc8a5758703ff1b14e36a71d6a1fed60d7123556275a7bc8973a02a41f035f08014971955096b6858b361

Download Submit
C:\KaVBQ4\optidevsys.exe

Filesize
508KB

MD5
35d9a63fb614117fa1beecb892fadda2

SHA1
4d035fbe1eccfef660122f9d29747276c5ac3c44

SHA256
24d3234b48c3cbcb857e9d047e173ac24a7a867df80e133fac3a33118915058b

SHA512
6f921033f627a0d4a981e7089afc65da824accffc70f5968e7daa11ceb269f47bb98b5f9f92087140ddc7b4c3b2de9adaa0a334c67001ec4ffa59461ffaf5767

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
7b424914ee258d1b19b45947985ab1b4

SHA1
cab0b14b393c760599c7297e14babd5e316ceabe

SHA256
0eeb7016bde1f10d3b7ef2705040fae948f3453b604d2cb3348a94d121f50d62

SHA512
25ef6dd6ad86453dd1dcd583cec7144d956751cde3514adb97dd4f0fd236552cea6a1818924b263b8d4ad8a6da007fef57975231067dbb84af14adaf43c96a27

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
cc102c2ffd6cc429e116c7ebae1dfe84

SHA1
54416229dbe3a9be69752cb79a5b4a89e4779067

SHA256
36ba815915adaf56bd7f4708d6c87320d3c73135c6f9addcdb637b650eecf362

SHA512
7927b97906f52f0a4338cc8d5e89896900dea0f029e874fad9429e583c6a8754c9291f54fc06907e3b673dc8842fff04620a9f34ab08534d03012033ebf597ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.6MB

MD5
e9583ba04a084386bbdc2833ddbbfbbd

SHA1
1e753d4090a687b63ee4462052c09a5a3cb258f2

SHA256
8215fa7028ea24a199cef6b24fabac24b1826d84cd1a3182f894d9244948469f

SHA512
6abe9a7a1a6fa5c8f57a693fa8d0d20b633405b87781f706e5adce9785ff7cd8ee6c12f5dc01e60d88359266cf8a59570723a3fbdbdca464d21f9468b98de59d

Download Submit