0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 18:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
Size

3.0MB
MD5

7819488d4ad3933b4e9c70e16c7d3c40
SHA1

f7788fbf5c13c464e38fd3d0a48e1874a9127b61
SHA256

0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59
SHA512

da39eb6eaa090dd97899ae6843d9f5d96800b9d4ad95b5d2d0b7e9f6146f34a049f7f0ce59626eb44350c26593ecac4c002f8787c5a1399dc9276f8012b84090
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNX:sxX7QnxrloE5dpUpJbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	locaopti.exe
2576	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotH4\\devoptiec.exe"	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ16\\optialoc.exe"	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe
3004	locaopti.exe
2576	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3004	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	30
PID 2672 wrote to memory of 3004	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	30
PID 2672 wrote to memory of 3004	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	30
PID 2672 wrote to memory of 3004	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	30
PID 2672 wrote to memory of 2576	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	31
PID 2672 wrote to memory of 2576	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	31
PID 2672 wrote to memory of 2576	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	31
PID 2672 wrote to memory of 2576	2672	0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe	31

C:\Users\Admin\AppData\Local\Temp\0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe
"C:\Users\Admin\AppData\Local\Temp\0cce9c95f012138e58ae8664e0425ff3aa7a85720caf490c9f0b666f6d4b7d59.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\UserDotH4\devoptiec.exe
  C:\UserDotH4\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ16\optialoc.exe

Filesize
832KB

MD5
24743b623d803028ebfa9a7db33f55b9

SHA1
b0a85b0efee5a967bed2eeda097fede4ac8887b1

SHA256
2c68ca126c426b002ead74fe0a4d61a0d07a4e17e0e4863efa0490c250db3c51

SHA512
5a3cf2d0d652c0968922ccb764b454bca7c7cabd0e14428072d0d053d73380c56c1e2788b1aedf27c11f5ae0bdeaff7084572d2cd26667004a201f8283e607e5

Download Submit
C:\LabZ16\optialoc.exe

Filesize
3.0MB

MD5
0d0957029a6f395ffe9c7e19e829b73e

SHA1
248756742e0ce8cffec4dc55796beb45802a5b21

SHA256
c105a1033c9273f98ac7d420dfa3944ff57f381042c46a4a73f4422c4b937c7c

SHA512
6113716edc4af58d71a677fb57e13a2cf4421f6ab12f631f5581795f9676e4ccad244a3480867dcea69b0ff9f2aef2ba496becbddacee616904b9bc256e9adef

Download Submit
C:\UserDotH4\devoptiec.exe

Filesize
3.0MB

MD5
171fca7dc634ffb864287f7b882816db

SHA1
a21cc2a4f4bba76d8af89df33b80e4a41f859854

SHA256
ec5ba466c3c4dcf3024a1c6c1ae3c0de589cb809b830325ce3f48111ee7df1b5

SHA512
760939183b1b0a2990672cc71fd644f2d13085d27b30fc9a7142555be2e69a58e485677d4fd9b286458bb413cf4871bf26e08b043b07694b869b5fb66346ffa3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
551085bb742924c725d8ee2d88a22a0d

SHA1
3a90ab66059fa628562ba4b53dd5711d9547f898

SHA256
b77bf241d24cb4304a0831f2fbd00a0f67f096ed3ef7ad84c141ab43a763ba65

SHA512
9553a27192e73d5fcb51277be7801d769af085d4d0e3468b435d4cf7e1f46f14b3d1728edad337f899b0bb30ddbfafc6dcc23f92de82b3b8201e85ed9abae909

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
7d4c0aea93d4c8583e28ea43756e633d

SHA1
f83c0421f0f5b0f6a491d86f9e33a26dab9807f9

SHA256
8e3e591b8c7633abfa79a5eb2791f8a408444d8fa3e2526e8d8ae698669431eb

SHA512
4c793013e9c806601200bee2b865816d5c3dfba7e95133f6a3efb28acf69e1339ba14fc299f61ec6081f0adea038eba6c899d16ebf6c86af32f695a17e55bf41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.0MB

MD5
0f6fb0b7a2423ccd652ecb142bfaef92

SHA1
5eab70e97a7227c0b6b0ee458cfe90ad7a22b4a6

SHA256
921bde46d0ce56b6aeefaf27ae6dc0c63c355212bbda0ef907a0a78c61a584bf

SHA512
770fda3f3e328bef32be09edeae29799517a38d062051b7422f9c7cf115df17240109ce9ef10642908cf759c0aff9b1f8cf8e639b50ed4de2dbea57c5101a246

Download Submit