Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
Resource
win10v2004-20240802-en
General
-
Target
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
-
Size
2.6MB
-
MD5
caf5d388c5a5e9237a3784652b0950f9
-
SHA1
b73e6c9a785b8c73a1f9651564f2d5dfe2a8260c
-
SHA256
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147
-
SHA512
612c52a29ad2f27af169a59406af1e6275a213c21cf9d04392a841772022d83e9ca19f8dd90e1bf4d3af9f5415e697c11f80a94a0c1c86d191c2b68a0304d605
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
Executes dropped EXE 2 IoCs
pid Process 2728 locdevopti.exe 2732 aoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTM\\aoptiec.exe" ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR3\\dobaec.exe" ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe 2728 locdevopti.exe 2732 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2728 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 30 PID 3064 wrote to memory of 2728 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 30 PID 3064 wrote to memory of 2728 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 30 PID 3064 wrote to memory of 2728 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 30 PID 3064 wrote to memory of 2732 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 31 PID 3064 wrote to memory of 2732 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 31 PID 3064 wrote to memory of 2732 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 31 PID 3064 wrote to memory of 2732 3064 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
-
C:\AdobeTM\aoptiec.exeC:\AdobeTM\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59df65d4209bad2446dd1453034970c40
SHA1d9cfbdf63e6a101ab5b0e9b29f026facb5a5a5b1
SHA256ebe8444517aa06fa4efb2839387ee6e862c5281d5cfa3f1fece60535c46fbb1c
SHA5127f3f40f5f0fc6f44d9a4f4b0b1eb829e7a0d9275aecdae13a86512eb719a68d6bc7f59b3ec4375752f5ec050787e4bea352d3c9470169bf0a231d6b19927a86a
-
Filesize
169B
MD593bbc64f264d9c06306980477aa70fb1
SHA1bed619621f8ab125bcf8dd7cb9cffd8216171ca6
SHA256c5bcdf0d57c5b357fc32c20cd21c74a91da29e941e930cbbeae6acb31c57d20d
SHA512e3f5bba6f07a147e13a1fb8e112358fe3bba740e5f9ea18d3116ed5f397920d21acb554772e684e9daf2eb27cce58521e2b9aff9b37d0dc05a6c7632243221fe
-
Filesize
201B
MD549cb415ca76dedf6dc9bc7fc54aaa39c
SHA1db364753b14853cad59339b2be28dd6b01491e42
SHA2566a6a03b381b39ab4c0dc6ae95f3952068bdfbacd65167ddb5aaa96cee741c2ef
SHA51253fd7e1b2629270054fd753c52a0036cc4031eae49634c6ca3e178859e7b42256f78381220133cd79af54e28aa738c9333cf3ce84722f2157f9590059bf132de
-
Filesize
2.6MB
MD57ad023471e0b78aff9d6fa68d59d0a77
SHA16da48e06cf376b32bcbdfc7576e8505aad6d2bda
SHA256fc79329f711c40584278e468042a9c8501d141c34cc141acf08aedd5a2f19e10
SHA512e6b2b01b1afa948226629e00e735be539ae7bec0e41b27ca3ea7da17158029f29613a68ab800ec7cad0488206fae0a8aaaf29d39db2e2262fc338285f27f0dd8
-
Filesize
2.6MB
MD5853afe4a94b99819e3842d46201869f1
SHA1e95b274b4280e634be604c7c268000fb39bf5c22
SHA2565c3cec46bc1b4ca0d4ab43a6b0af7034a5e1dcdb4f51c3a78ef3fac3343b0c3e
SHA512e8822fdf14bad941d6c17e5b0946adb6525a44adb36133a418e4125c9aef0e81ac7af65e492492906ae10f4f90bbd4e2a55f0031b5d1963697c6ba7bb76c8bde
-
Filesize
2.6MB
MD552d27372daadbeebb2690846e2e5c197
SHA1f620c48c7fef857d1e732a8433de0c84db0d32ef
SHA25632095b13d2ca1fd0ad0fa4ee0af5990b8e00d1f692db99eadaec6194809bb664
SHA512eca6913787befb5494e46627567c784d9834fc2021465f7ca1c01eb987b59579c9734bfa857fd9b7c91636823cce13a66f5d5e65f1527d403f5063261f626a31