b5a53522aa466511bb82d372461b3b4fc1ac33e9073365cd17f67b6deba1ff66

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963572ec4604e847d367a248b9a5d440N.exe
Size

2.6MB
MD5

963572ec4604e847d367a248b9a5d440
SHA1

dd1a94469ce7d8d9071b028a9dbe7b3177a27602
SHA256

b5a53522aa466511bb82d372461b3b4fc1ac33e9073365cd17f67b6deba1ff66
SHA512

1748c1ab69ab2769a9900129210c2573f6484eeda37f9535be87a132c3e7b180a3b4b62569aa7eaea64c45068eccb047775be8dba6957fa361b8c98b2004422a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUplb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	963572ec4604e847d367a248b9a5d440N.exe

Executes dropped EXE 2 IoCs

pid	Process
3556	locdevbod.exe
4192	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7Z\\aoptiec.exe"	963572ec4604e847d367a248b9a5d440N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFV\\dobaec.exe"	963572ec4604e847d367a248b9a5d440N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	963572ec4604e847d367a248b9a5d440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	963572ec4604e847d367a248b9a5d440N.exe
1044	963572ec4604e847d367a248b9a5d440N.exe
1044	963572ec4604e847d367a248b9a5d440N.exe
1044	963572ec4604e847d367a248b9a5d440N.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe
3556	locdevbod.exe
3556	locdevbod.exe
4192	aoptiec.exe
4192	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3556	1044	963572ec4604e847d367a248b9a5d440N.exe	91
PID 1044 wrote to memory of 3556	1044	963572ec4604e847d367a248b9a5d440N.exe	91
PID 1044 wrote to memory of 3556	1044	963572ec4604e847d367a248b9a5d440N.exe	91
PID 1044 wrote to memory of 4192	1044	963572ec4604e847d367a248b9a5d440N.exe	93
PID 1044 wrote to memory of 4192	1044	963572ec4604e847d367a248b9a5d440N.exe	93
PID 1044 wrote to memory of 4192	1044	963572ec4604e847d367a248b9a5d440N.exe	93

C:\Users\Admin\AppData\Local\Temp\963572ec4604e847d367a248b9a5d440N.exe
"C:\Users\Admin\AppData\Local\Temp\963572ec4604e847d367a248b9a5d440N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Adobe7Z\aoptiec.exe
  C:\Adobe7Z\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7Z\aoptiec.exe

Filesize
2.6MB

MD5
c43467aa1e171a6538dd137c392e7353

SHA1
7282e97134aff8fb1dfab17a2f15190e38cc074e

SHA256
29be4e02b903191a2ae50c0d10f778e9c6331c52fdbe53cf414420dad9383e9b

SHA512
a261c1c44070e601f2f28279e9de04c933fae6c5f5b476e9139ac437019ff18861e2a129cddc24dd6822c560807215657559a77adb5d2e3346ce57cb555c307f

Download Submit
C:\Adobe7Z\aoptiec.exe

Filesize
2.6MB

MD5
7dccf82579053ca08823af1410dd6f50

SHA1
8f9570fcf0ab153bace9f5bc44ef848735941d29

SHA256
dfc9ecb36ac9fb6123dc59c5ebfd88d8fb63cb76bde859f6becac417ff7b1397

SHA512
65428f93833a2496f5fae206a400ff0ec9aafe94e46ecb8f3750df6909a2759108c62036ff090691d43957f7822e466ec3fbc69b7f7c4862d44f3f6d388067f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
7e4745199dd7d928ce80bffb719a2b29

SHA1
c5ee2178935a01b4aa2ac9a86c7be6f56aa4e6e3

SHA256
f4bb364b9738f1c91d1ec521d1da4c960d431bf3e9ef2ff7e740a185b6d224b4

SHA512
171129d50191d07f69c09cbbb29c15729a87e45bd5754017d0306d57bfdf5dba7bb10e9f0d5e3a13fdd5fbd69926764d0c2ad60368a85d704d033af7684a5a90

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
10e836fbbf13720a61f7a58da0310b96

SHA1
91cbefd2bcf22e2310c45b9732dbcbaead9d4c56

SHA256
c7a837d442f6e2318c7d42c883983d5efc36e4f25c0fd73994cf99d5a3b54162

SHA512
ab656c42c3c3cb407a6a3fb10e7191aeff5b1013ef7589172fec32e9bd04bd5e3c11f5172ca131140784389934964eebe280f6c13b256e078536616a39d79390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
d4db7cdac4576a5a99ebd611ca87d63f

SHA1
1c3c091482cbb2fd3a044545f9fc5ff5a36367df

SHA256
12a374eff09335d37c3a73f64d92c2e9489ae1b9497103598f9a3a3fedfb5ab2

SHA512
c702562229d7ffac9d0c94e871c2af896d555ed359b471218a4343341035db3a977923b74a1e2edd8b4a085a0bb8c2747c32641d3d812801042f4a06b535aa3c

Download Submit
C:\VidFV\dobaec.exe

Filesize
2.6MB

MD5
42fe2e2bd776485c093a848d9c71cc77

SHA1
631fb34cb1c4acc411cfe3747a25e475944b7b02

SHA256
1bb32a5ed867912d28611d76a4f04a2631d1316c9de5c52fdedaa953a1f28786

SHA512
35105f877fb2535aa2f625b5742224b6f5ae1df18a0d0e4a311a61e74e5b3346f4cf9e3aefd489dbadf7e9184287b3375e655a54d76683f41dfb23a49a2f890d

Download Submit
C:\VidFV\dobaec.exe

Filesize
118KB

MD5
7600ee9fdbab39235bec021de1a3f95b

SHA1
565f35fc08e71f6cd028e6bf4d7303f0c8bb9781

SHA256
60de1a80c70a3c20c7afdbb4a503bcac8c348a77fa86456bea06518757c525ba

SHA512
eca857d978dab34f3be27ec800becdb18e2368f0a02b997a258131b703c641710f8ee712a086919bb8b2989e58041082e5134d7af4bc423aefd16c9344865a42

Download Submit