Overview

overview

9

Static

static

3

797f302eb0...0N.exe

windows7-x64

9

797f302eb0...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    797f302eb010c6c8ff85f372edb92410N.exe

  • Size

    2.6MB

  • MD5

    797f302eb010c6c8ff85f372edb92410

  • SHA1

    70fb2fc504ae5565c78e15b6a74b768ed4fbbf7b

  • SHA256

    07f6a383dfe6a31199df51038d2499dbd60c5d87c3b31d33d4ce2496dc7e9d22

  • SHA512

    27559ff7e94fe88b10576db853421defce392c9545546a3d653da2da22c2c1e6529794e768878edc8f250c4ddc32e96b0c088e1e16b7a02de125d46be7706e18

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpfb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\797f302eb010c6c8ff85f372edb92410N.exe
    "C:\Users\Admin\AppData\Local\Temp\797f302eb010c6c8ff85f372edb92410N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3032
    • C:\Intelproc28\aoptiloc.exe
      C:\Intelproc28\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc28\aoptiloc.exe
    Filesize

    4KB

    MD5

    ede40b36034d11420daf9b761d447622

    SHA1

    83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

    SHA256

    6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

    SHA512

    0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

    Download Submit

  • C:\Intelproc28\aoptiloc.exe
    Filesize

    2.6MB

    MD5

    383056743f4aaf74cc1d1bee1e6b78cb

    SHA1

    858c983f627e606681aea3111b313ff991a288b5

    SHA256

    24b58e480f865033ffa379026f52eeb51d5a99cb00539bbe8cdc1ac3c565ef96

    SHA512

    a2b25d1cedf7b59f067cc7d12227f973011f2f8251c4cff6e1309f6210225311b649013893d4d34ccd2d93b41c258f4bc0ae38f34153d1cff22218666e0af8ba

    Download Submit

  • C:\KaVBSP\optiasys.exe
    Filesize

    2.6MB

    MD5

    58ea7145ff1320d9bee7fe878f3d9bc2

    SHA1

    8f5a2dc10edf89c870dbe061c8bcc860cb2d8a11

    SHA256

    e5f6435a1f9c2cefc387a828610fbc640d5890d870e59383c63b8bce7bc246a0

    SHA512

    f9d76903fd07df0bfb9e3b45d71bb3236eaf343310a647eb9c9b9c81713d313d28059c6172e54fbd30119d6c45d76dbed11bb7a4cf61a58296b2bd4a0da7bc29

    Download Submit

  • C:\KaVBSP\optiasys.exe
    Filesize

    2.6MB

    MD5

    0386f18ad1d26dccd89eb5cc3e6467b8

    SHA1

    7ae70e48eaabccd0d5e0b172f23a6437d547f4fd

    SHA256

    0e0fa690c1a137adc5d0ea8cd54b73d89269df1a1011f516bc653808cfc6eda7

    SHA512

    74c8bc9c49834b2776fbec5d0e2d5db1bfe7dbdea3aaae9c511ffa869ac924f8a5c2b5cb9986392462cef75e6f30c3f8595de6ee07acb1e20da3318c63e393a1

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    205B

    MD5

    d1df6098c2d7687b169f5c55b284af40

    SHA1

    18dfb196cdc7708a157dfb5a5b0936a9d65cb97b

    SHA256

    889d4127a75b649fc2618c2bcc0f7a8422c72e14349837e450b1a375199ed92a

    SHA512

    76e77e9818dfcb20aaa3ba46a150b101047322bc5c758f326bc5797175ec728d83bd9ccab7d39f48bef366139214e2f799bf71c9f1fb84a32f6c0c94855db3a1

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    173B

    MD5

    b01932c912b90c11ebbd554f976d0900

    SHA1

    921eb1e53ac7bd33829ff724c1cf903648340645

    SHA256

    34dceae3d4f9791a3ee7db4ad5c03eab37a114bee626fd199b36c843e73db27a

    SHA512

    f6c7496751d5ef23e6add107b89696583e6e113b71ecf24496a0f57a78136c6db0e65aa55c7cc79915ac371e0386642ad4e5fc875580368fc3d8f2ac7f43eac2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
    Filesize

    2.6MB

    MD5

    3bc56de4863421fc97afba8a3102d35b

    SHA1

    23a476d825e9961c14556c96d32cb358916768f4

    SHA256

    e667ce9985d4ab96525756ef04c928c187c2a259dac82dcd1be2ab1eb7a3d237

    SHA512

    d72f8d5cd3ae58b294f848c95d9b07ae7064daf1c97ceff09dac170ca30ecc84151d4d1766764dc9fb7c1053e8a0af3f7ab1a675154280c28e74497d5f8884f4

    Download Submit