6b6e925ef9c1740711034eee6ae66ca208d219b8fb8fb93b561070aec3e83a5b

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8daa92e55bf522c3ea32db9e7b85a50N.exe
Size

3.1MB
MD5

a8daa92e55bf522c3ea32db9e7b85a50
SHA1

472806c86ca4f06f8f8115a764cc149ba64cfc29
SHA256

6b6e925ef9c1740711034eee6ae66ca208d219b8fb8fb93b561070aec3e83a5b
SHA512

10092873245de0933ac696aa0d7072ee81eaf78787a2f19eb98d58f908f36c66e60d84cef6dd174d318a64f55b4543bd8b7d04eaf2278a2e618e5b6672043cd3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	a8daa92e55bf522c3ea32db9e7b85a50N.exe

Executes dropped EXE 2 IoCs

pid	Process
760	ecdevopti.exe
1944	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe
2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOM\\optidevloc.exe"	a8daa92e55bf522c3ea32db9e7b85a50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEZ\\aoptiec.exe"	a8daa92e55bf522c3ea32db9e7b85a50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8daa92e55bf522c3ea32db9e7b85a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe
2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe
760	ecdevopti.exe
1944	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 760	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	31
PID 2348 wrote to memory of 760	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	31
PID 2348 wrote to memory of 760	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	31
PID 2348 wrote to memory of 760	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	31
PID 2348 wrote to memory of 1944	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	32
PID 2348 wrote to memory of 1944	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	32
PID 2348 wrote to memory of 1944	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	32
PID 2348 wrote to memory of 1944	2348	a8daa92e55bf522c3ea32db9e7b85a50N.exe	32

C:\Users\Admin\AppData\Local\Temp\a8daa92e55bf522c3ea32db9e7b85a50N.exe
"C:\Users\Admin\AppData\Local\Temp\a8daa92e55bf522c3ea32db9e7b85a50N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\UserDotEZ\aoptiec.exe
  C:\UserDotEZ\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotEZ\aoptiec.exe

Filesize
1.1MB

MD5
009bff6c1ac4700472df877132607e6b

SHA1
7cac0d3b4b5e3be89721f6c21a9aa946804bbf4a

SHA256
a702bd03274ecae9e73c49d888a00d994993bf532e90900ee560af987eb71c76

SHA512
4cf4ec4ba9851675474b27b1d7ab723262ba107c9244ec4fbdd71ff86a9749d42bd9d06744f7141ff1c2686d39f04833b6e1ab941edbe05e7a3fff524110b82c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
a42f8ec88a35fe3302deea40b42ccf6f

SHA1
47826dc37a8ed578c1873cfeffd580c80d990f6b

SHA256
3cdeaa349b81a14ce74fb98e50cee0d90f54fcc08bbab0cd6984090c1cfa1cf0

SHA512
01f0f5a092e0a80ca0dfe41d828b42faa9f1a4322dce56b015ca884c178ba86f814ec0fee91860f58bdfc6945cb32947d5c20aae7d85d3af9cb98c680b208e7f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
040ad9608fc8ecfa178f1711c782dbe9

SHA1
272bf5cacab194f125f2e22013eb83d0c1ad3187

SHA256
879ece266a5181e0df0dd2468e9a8eb174c6976c2ab36d98afaa380afdde8daa

SHA512
a38d82e8275917f22a63ed696349b3d2993a9b1478d526cf64bfe7ef31f729122413535f4306cca071bee09a46c430c7d99138a846ede429c850ba5f405b2a4f

Download Submit
C:\VidOM\optidevloc.exe

Filesize
199KB

MD5
9f8701b076829265f0acd822a2e2cd30

SHA1
35f5d70a8c91aa5d96a7101adea42f00dba7a550

SHA256
f95002daefacdb7fb8742deb4057c64c1b0887d74dfaaf82eee4a978ed49021d

SHA512
7960b5709a0a7b5dec2e68724959e2f2e04ce8c4f75828853d36ce47b1cea444382f0c061c2ba056f36e53cae8b43c8049148b9386ca6e421c18943fd8207d11

Download Submit
C:\VidOM\optidevloc.exe

Filesize
3.1MB

MD5
7d16c8e82b3603d06faca673817c4482

SHA1
b0d1d3e043c1ff7dfb6e9d81b374bf96162548cb

SHA256
72e3c32df020394d4b6cd57a7c2a97d7a08b599214897684de8484c5d1e7ae14

SHA512
b10aeb4175fe410d7c2b893e253cddadec72c04b24202dd26b149f744bf4236b4662aa28ef9070230a12337620b7124161422507c8553ae5b8f1bdce4996ea70

Download Submit
\UserDotEZ\aoptiec.exe

Filesize
3.1MB

MD5
dbf18ae57bfb3b8aef151b92c5209d4a

SHA1
f10ae92e960feb77365991b6562f0030a1171956

SHA256
1e36420d3f1ec2e30803813974a8cfd05ff9e5985c230f7da7f00597cb3b3f99

SHA512
18403bb739b212ffb2792ca2fad10636970a10807332f65266ba223e299617cfe1255413fef6e1d488136ff05489e229ccfbc41e0e703877a35171ba584dd090

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.1MB

MD5
e14648f61ff4f0c04b523ba81da269b1

SHA1
27c1a802c88048bb5084dd460b19202869105dac

SHA256
168358b8fbbdff006b0c36d6aa329ad6382bdb39d6e6fd10bf8d5c5ae2212d88

SHA512
36e18b1b78c35df6ad1135789677c9ff57cd3b35213e0c9673967f1a6488d02c542f020f74d96916be258bd5b2a2b11fd8514603725b1678ad9a700c140fb1be

Download Submit