c60fc62b310367a4877e73c1ff6669212a1fcd06b8973c853beab932c3668ff1

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 12:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed3185b41aacffe090bde376d9b43560N.exe
Size

2.6MB
MD5

ed3185b41aacffe090bde376d9b43560
SHA1

868cde6b6df79bd3ece4e1e87320490fac60104f
SHA256

c60fc62b310367a4877e73c1ff6669212a1fcd06b8973c853beab932c3668ff1
SHA512

106fa2309094d43c303277069a5873250dbcabe8ca51c2742b53a50d6d137894d314ef4c2f68f8b355a9d0769dc2d21d2463f76410e1a4e86c0e17ec0a8a80fc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	ed3185b41aacffe090bde376d9b43560N.exe

Executes dropped EXE 2 IoCs

pid	Process
2872	locaopti.exe
2856	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	ed3185b41aacffe090bde376d9b43560N.exe
2272	ed3185b41aacffe090bde376d9b43560N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7M\\adobsys.exe"	ed3185b41aacffe090bde376d9b43560N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZH\\optidevec.exe"	ed3185b41aacffe090bde376d9b43560N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed3185b41aacffe090bde376d9b43560N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	ed3185b41aacffe090bde376d9b43560N.exe
2272	ed3185b41aacffe090bde376d9b43560N.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe
2872	locaopti.exe
2856	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2872	2272	ed3185b41aacffe090bde376d9b43560N.exe	30
PID 2272 wrote to memory of 2872	2272	ed3185b41aacffe090bde376d9b43560N.exe	30
PID 2272 wrote to memory of 2872	2272	ed3185b41aacffe090bde376d9b43560N.exe	30
PID 2272 wrote to memory of 2872	2272	ed3185b41aacffe090bde376d9b43560N.exe	30
PID 2272 wrote to memory of 2856	2272	ed3185b41aacffe090bde376d9b43560N.exe	31
PID 2272 wrote to memory of 2856	2272	ed3185b41aacffe090bde376d9b43560N.exe	31
PID 2272 wrote to memory of 2856	2272	ed3185b41aacffe090bde376d9b43560N.exe	31
PID 2272 wrote to memory of 2856	2272	ed3185b41aacffe090bde376d9b43560N.exe	31

C:\Users\Admin\AppData\Local\Temp\ed3185b41aacffe090bde376d9b43560N.exe
"C:\Users\Admin\AppData\Local\Temp\ed3185b41aacffe090bde376d9b43560N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\UserDot7M\adobsys.exe
  C:\UserDot7M\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot7M\adobsys.exe

Filesize
2.6MB

MD5
1d9261ad71093590c5212cb83d6dcd26

SHA1
75715ac3d9e676dc22ddb0cdfa893b4764e2037b

SHA256
0c58831cb3a0f92c7384a9cae5c5e3677173c9d1a5475d3b0676fcd51a0decea

SHA512
4a14391294f75fb34dd96a54205b16c6957bd357157ae660d5bfafec1b2f3d9b11d38e0aa31d9f3d98fbd335a20486974211f43e137c11f4674f3a73ca8ce1f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
e8ac570456f7c4302697a73836f56acf

SHA1
d3cf9fedceed43a5532cbed73a07aacaea06c4f6

SHA256
ef8a5d1655745fc427e9462267dac9b6fa0f33a2a89ba30605865f950ceaf3e3

SHA512
2077345a5f2511bf3fccbde9a4d067764fad64b65d9eb1b4be9ab49f797bb89c8799e8f299577630528f5fa625ce6e4dded166a03a242b1f98fbe57fa8117096

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
657b6807937eb7d8c1ce037c92af5a15

SHA1
ec07d0fd6993d30bf844ee994b30967ccbdcbe5b

SHA256
d2d5650a61018f424e0824608ecc5120c7412934f300e13d75f33c4a87139a96

SHA512
459e43b28f462cc0e7ec453854f11069f24326e4e6318af4928c57dd9b64caff8888c71bb826b03e962270a4168f6ab3f38b6af9f869b7fdbff40bd4da4de541

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
c787a62b16420fa68da2fa58667c7683

SHA1
b295cc8b4711dc769de64741c4ee430a40819c51

SHA256
fa347e10241324a81e302fe7161d6cc8cbed642f269596b12c7e4e4b25b93f8d

SHA512
5a9d7721b4aa0940ab8e98e6e03cfbd79df1e33cbe935211b8267edf48893773a39cd78bb700722f447e6d164f997610690a8f8aa34b715314630d28f4736028

Download Submit
C:\VidZH\optidevec.exe

Filesize
2.2MB

MD5
a2827cb0a498293213757fbdbde5de52

SHA1
00eb80e17c75e8e8af4da7f074f0515a4675e2f7

SHA256
cea03689c8be329bb00740b7b6a92feb10a584a59313b6c62b43c96f8ff29caa

SHA512
b07b236bbf343c659c0272beb4005c3433a6bf4d4b91ea4e40d0f81b02981653362e5274fd0bd5586c1c6a05db86ba27b6b3600bf2cf9462d067e92205aed2ec

Download Submit
C:\VidZH\optidevec.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit