52a4b7ac73f100099b6bb3c6c82ffe809cf851880cd9a66edbde74ef3149b71b

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b721cda796355822135677cd008513b0N.exe
Size

2.6MB
MD5

b721cda796355822135677cd008513b0
SHA1

a29a3537f0ef3f24c91697a1a97a4cbbc61e5456
SHA256

52a4b7ac73f100099b6bb3c6c82ffe809cf851880cd9a66edbde74ef3149b71b
SHA512

4eafc3171d0b9eea0ff93fef1bf8392caa3d2f90072268ee5aa292030e0bb0dad73911bc5cb060219a8c7705589b6a661da207579c05d115981b496f72523f55
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	b721cda796355822135677cd008513b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	ecabod.exe
2044	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFA\\aoptisys.exe"	b721cda796355822135677cd008513b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB80\\optidevsys.exe"	b721cda796355822135677cd008513b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b721cda796355822135677cd008513b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	b721cda796355822135677cd008513b0N.exe
4684	b721cda796355822135677cd008513b0N.exe
4684	b721cda796355822135677cd008513b0N.exe
4684	b721cda796355822135677cd008513b0N.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe
4204	ecabod.exe
4204	ecabod.exe
2044	aoptisys.exe
2044	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4204	4684	b721cda796355822135677cd008513b0N.exe	88
PID 4684 wrote to memory of 4204	4684	b721cda796355822135677cd008513b0N.exe	88
PID 4684 wrote to memory of 4204	4684	b721cda796355822135677cd008513b0N.exe	88
PID 4684 wrote to memory of 2044	4684	b721cda796355822135677cd008513b0N.exe	89
PID 4684 wrote to memory of 2044	4684	b721cda796355822135677cd008513b0N.exe	89
PID 4684 wrote to memory of 2044	4684	b721cda796355822135677cd008513b0N.exe	89

C:\Users\Admin\AppData\Local\Temp\b721cda796355822135677cd008513b0N.exe
"C:\Users\Admin\AppData\Local\Temp\b721cda796355822135677cd008513b0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\AdobeFA\aoptisys.exe
  C:\AdobeFA\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeFA\aoptisys.exe

Filesize
1.0MB

MD5
f39c3e353364c3c63682bf90461ddf4f

SHA1
d14b5600947b10eb1904af25c59e92f87c7f6ac8

SHA256
7513d3e9c92f7f76b6ed1fb28643469220cf42b116acefa625f820f88b8a87e1

SHA512
6cb6e316391a274322ac55ed72a4d6ec10f9b11ed5c47a3bd1240b2cbe8f9fdb0889341288a92fad266b5357e4798ff54e872d785b1ab24e730e2c315ada575c

Download Submit
C:\AdobeFA\aoptisys.exe

Filesize
2.6MB

MD5
b001172f39efeee1e6a89bdc3ea4b41e

SHA1
cd2c1e61cb4ee8bcf10892a200c889a905b85baa

SHA256
a7d48183078191147f9344b815edb1a7b761e4264ea4e6b36dad4b3937b7990c

SHA512
5976d5e0b4cb3c67e578bf1252f375302fd6c6bc033fe9f967e396cdfccd7fe9405ddf86d8727fc5050338331ab7a83f44c945d6e51567c94c60cf5621240981

Download Submit
C:\KaVB80\optidevsys.exe

Filesize
1.1MB

MD5
90463aafa8780b58edb10f3d638b4676

SHA1
b81de6c4c61042ef37dbed47c672a21604b3f60b

SHA256
583ec13d10473bd2eda1ceb902e607c34f8656cad13f29932a81b0eed0aab265

SHA512
82b6b565e2eb7efb338dfa2e7c68206efdbbfad9965789b32b55d4e1dfccb18fd3d98a16fbae40bedde3b0a875df4c0dd7dd472a43ebb8135767b602f3c8ee2a

Download Submit
C:\KaVB80\optidevsys.exe

Filesize
2.6MB

MD5
03f460ceb078a771da5017f28587578c

SHA1
2d3e1c90d61d06746a890fe97feaa8b2a00309bc

SHA256
7f22e4de7afca9534a100dc9d3eafd4f9453bf93a2959cd5fe6cdbf1b6434b81

SHA512
71febae85909892474e6c576cc4174781354463873f52f39eccd65c8b6a2b7301bc89da0c8c63123aead631375e05bc464d609dceac48da9f80d60197a4eb001

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
949e3a096b8aa8a8dd8d7354bb908e4e

SHA1
1d2b31a4b31e1d5c44ff27a5db41ed57e8e8632f

SHA256
4a76543ca2503aad517f187944df8e194e2473af71eaa8ef0eed093f63648c5a

SHA512
b402f824dd11c4513e878dd412ed71c25590b4d5c05b58cc399b97b39cd931df3aa54974fd1565b293706a1c7eca03aed0abafcc2244b50974c57254d6916d85

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
4165bc31a24d049bc1e3525993635554

SHA1
f401565da3d727433c4eaf198c828eac0dee815e

SHA256
2374a9eb45a46e4a1eaa6ab9ff55f89670e6f873a372257db3a0670b75958c3a

SHA512
9760df46493afb6f487013d3650fc373abf4e26b3a84c1c4610e25a6f0bc32926d385043d26f6e59d34a519b84a704a2e9f4814920864a2535512ba18e170be2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
22eb407b3d0cf25d676835c2266d4a6a

SHA1
69781cbdcbd69fba5aac7d716503284dde2ccaa5

SHA256
f06e7777deb5898d3f135f221aa73d65a40768efbfe51d196541cdb7762e110d

SHA512
ad81a50367df249b474237bc67a4892f3f3d27604d0f159d946efb9412984fb1af91e8fc34ed74d71ca8a05cb00cc5e6b29ef8e40a4cb81573227d4cbbbc1cfc

Download Submit