30c3978723b1c4e91f0c55705218d0dc26fbd70ec9bf458ab3a045154b49fc0a

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

728b370fe514bc5c47903d44bfca7460N.exe
Size

2.6MB
MD5

728b370fe514bc5c47903d44bfca7460
SHA1

aac07917ac01ff28260b6d10053ee5ddff4eac72
SHA256

30c3978723b1c4e91f0c55705218d0dc26fbd70ec9bf458ab3a045154b49fc0a
SHA512

a5c9c473d5de2ae1876a069d49d82e0cdf2d4319294a48564524fbd8265a3e16f4f95557283229b6192c916846cec79efc05c566a02b267d992ecb7433a5bf6d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	728b370fe514bc5c47903d44bfca7460N.exe

Executes dropped EXE 2 IoCs

pid	Process
4796	ecdevbod.exe
4308	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJM\\optiasys.exe"	728b370fe514bc5c47903d44bfca7460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2V\\aoptiloc.exe"	728b370fe514bc5c47903d44bfca7460N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728b370fe514bc5c47903d44bfca7460N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	728b370fe514bc5c47903d44bfca7460N.exe
3108	728b370fe514bc5c47903d44bfca7460N.exe
3108	728b370fe514bc5c47903d44bfca7460N.exe
3108	728b370fe514bc5c47903d44bfca7460N.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4308	aoptiloc.exe
4308	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4796	3108	728b370fe514bc5c47903d44bfca7460N.exe	86
PID 3108 wrote to memory of 4796	3108	728b370fe514bc5c47903d44bfca7460N.exe	86
PID 3108 wrote to memory of 4796	3108	728b370fe514bc5c47903d44bfca7460N.exe	86
PID 3108 wrote to memory of 4308	3108	728b370fe514bc5c47903d44bfca7460N.exe	87
PID 3108 wrote to memory of 4308	3108	728b370fe514bc5c47903d44bfca7460N.exe	87
PID 3108 wrote to memory of 4308	3108	728b370fe514bc5c47903d44bfca7460N.exe	87

C:\Users\Admin\AppData\Local\Temp\728b370fe514bc5c47903d44bfca7460N.exe
"C:\Users\Admin\AppData\Local\Temp\728b370fe514bc5c47903d44bfca7460N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\SysDrv2V\aoptiloc.exe
  C:\SysDrv2V\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJM\optiasys.exe

Filesize
219KB

MD5
f446afe53b104415cb1fb8ff6b87d242

SHA1
e192ce81ccf133a6f8e439622fe55b131a331c08

SHA256
83a13a5e4a5b36e7a2b8062fc89457f5cff965dfb262de6e700abf7ef2bedaa7

SHA512
cf560c5d8e17c257cae4ee2678666e71f5fa5d6ff55be14a39f99b5e2660884b1f39d9f55df9c23852dd04517d64c3970abed126b25677f5f1b96727c9119201

Download Submit
C:\MintJM\optiasys.exe

Filesize
2.6MB

MD5
bd2d1de686f32ac6c173e5ae64031fc4

SHA1
96f1be898879a3774f0283ad67d0419a514d885e

SHA256
b33acb0a5ad80d98a91a661541afa8cb1b7ec5e0b3bfc4e5d4891bc933ec82be

SHA512
b739233a0c7d7439572772963a27b34e2336b895b55d90f14ee130e7d290ae868fa7f7c3e73bbe30219fe8028d0d09dd04533bf20c68d5e87492eeddc60c35cc

Download Submit
C:\SysDrv2V\aoptiloc.exe

Filesize
2.6MB

MD5
45d595b87651ec3660f7cc44d9e74442

SHA1
4c4a048802e81859dfcba423d648586f3fc22f30

SHA256
2c044f75e2630c9cc01553531f5440335f4b295bfb5cc9dbb80e156b26897168

SHA512
29772ef3a8235af199ed2c6ec6cc81416c69a45fabfdf9e279b47c96005d45ad77ddc18807a5ab831bbefb570081a22511ae3e35ad88426cbdb5fb2cd8ba7d53

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
6baf13ffc5da4b181de964d8dfefb282

SHA1
ae4aacef83ef28931b21bb8ef641acc7b0fb0937

SHA256
c3c8c9934a829be183a874fec2d054602ccea1cbbb48ad655acdfa8ef9c66803

SHA512
21bc00c328fb372022449a02c8f6f4361015c5b7774760ef7ce92b0cf647ba20725e47ef44bd60bb86ad01ac5b297f496d12cb3fb23adf5f88231a6921838661

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
3774b59ea0bfb6af355c05cd25b7a2c0

SHA1
d71274529153aed28854a4be602cae7da4c8913a

SHA256
1ad170d82fd905cb06494c79127d1f56f6bb7de0e25d25e3a581d6fda33b3b6e

SHA512
44d92144172952dacaae1ddfd191c8fb38fcba237985707b9cf571344c37d826f1bc9e30de64169adf5fa52f4b14405a37e962dbb65f88100e1321fcb8972dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
69cf93635f1f9bc62f5687a9d99ed7c0

SHA1
2b0e1eb0d6013681046f99e0c63510eed93f429c

SHA256
fcb197bf9b0dda4b7c1c52ea80f608002c19827a667166ddb993efd1fe00a535

SHA512
8bf3f921431c4687b588d15d98ba3d5113c16be81c861eb81bff225c2dadb2fdabef6e8420d94856a6a65476e1e02d63aeddf325cddfd8695b3961c22ea4fa51

Download Submit