18d9e6e4776e3b8b5a2eca7143cbc31e344387419f7d336ffbdba2c6f71346be

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9916257fef89c7a9962da8536cd868b0N.exe
Size

2.6MB
MD5

9916257fef89c7a9962da8536cd868b0
SHA1

0ba8ef9222931e78525baeba5622aa42fd3a86f8
SHA256

18d9e6e4776e3b8b5a2eca7143cbc31e344387419f7d336ffbdba2c6f71346be
SHA512

8d2cde92bfa66665c2c930c3aef640b8f5350a80e4a3a62b41896a74d72479971bddeed6fb46167e3df7273e0e1f3da8769e108aa7fb471f213564b89f94cb19
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	9916257fef89c7a9962da8536cd868b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	locxdob.exe
2672	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	9916257fef89c7a9962da8536cd868b0N.exe
2664	9916257fef89c7a9962da8536cd868b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv12\\aoptiec.exe"	9916257fef89c7a9962da8536cd868b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLA\\optiasys.exe"	9916257fef89c7a9962da8536cd868b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9916257fef89c7a9962da8536cd868b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	9916257fef89c7a9962da8536cd868b0N.exe
2664	9916257fef89c7a9962da8536cd868b0N.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe
2712	locxdob.exe
2672	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2712	2664	9916257fef89c7a9962da8536cd868b0N.exe	31
PID 2664 wrote to memory of 2712	2664	9916257fef89c7a9962da8536cd868b0N.exe	31
PID 2664 wrote to memory of 2712	2664	9916257fef89c7a9962da8536cd868b0N.exe	31
PID 2664 wrote to memory of 2712	2664	9916257fef89c7a9962da8536cd868b0N.exe	31
PID 2664 wrote to memory of 2672	2664	9916257fef89c7a9962da8536cd868b0N.exe	32
PID 2664 wrote to memory of 2672	2664	9916257fef89c7a9962da8536cd868b0N.exe	32
PID 2664 wrote to memory of 2672	2664	9916257fef89c7a9962da8536cd868b0N.exe	32
PID 2664 wrote to memory of 2672	2664	9916257fef89c7a9962da8536cd868b0N.exe	32

C:\Users\Admin\AppData\Local\Temp\9916257fef89c7a9962da8536cd868b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9916257fef89c7a9962da8536cd868b0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\SysDrv12\aoptiec.exe
  C:\SysDrv12\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxLA\optiasys.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\GalaxLA\optiasys.exe

Filesize
2.6MB

MD5
8bf6a03e481473c52711822651039dbd

SHA1
1b60df2cca3424c22bbe49ad8e9ee940beae815f

SHA256
d06c72644744f24f714e04ecb28f2403b2b1f9dd8410268baaf31fdd76f6d591

SHA512
3a4b246ac349ece5d25c876b8691ba11fa465161613081cde4d1e236c1a3d6d1abff4a1ca2ba8d99252df9e679453476296fea6d5b37a29805f88bd99dd0f65b

Download Submit
C:\SysDrv12\aoptiec.exe

Filesize
2.6MB

MD5
6786c9eb9c5a2a6b30d0da5e1481b914

SHA1
38fd12d59bfe4e505df8b5d070614755911b12e1

SHA256
dec677191e319137dd420ba1c0ea7cd52161da1cd8147c6620ca0c8715ca23aa

SHA512
609ef24e6a637ec8b88e560b3301df7ab53e7fbbd7e7b858357256f5382a2d1fbf2f5105f4eede57682df55c75750f8562cd224083caf00d6c112bb962f436aa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
105e7c9b12941c468fc27af3f596e333

SHA1
b2d665cfb313b54f4844d5695d60dfcb8e91152a

SHA256
b2a18eedbe18ae7af3a7227a5458839f3a36fdd7ce979d1abd6e6e6d6ae73e5e

SHA512
8ba8efdd9daaa5e6cf6f62711ffbbdf1fc57aeb31b07f0c7e7989e0152b5eb1350a81e479eab0f32a4529d4dc7d4b3768e4bf66aeef18535adf4cb450d67965c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
6e16ce20089c6774affc59bfeeaf6e67

SHA1
0e7ff72d46bade0926f6fe5b9350bb4a5d4b6e57

SHA256
dd3b37fd541c4adbe34086f670b7a889bdf90af8271dc5d383b2557bf3d6dfa8

SHA512
e6c7f794bba442c6e08917d5e419a899ac5b7049158a0d6ff505a80444a7512777b3ccce969e96a0e6d20a8dadab768d355f7ae721f8f5565130fda3b393dd86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
e5765137034b9d365660819bec3c730b

SHA1
f3bdf4a8a4e0a22df363d3479166580f3c33b2f2

SHA256
d3fb46bf43e4af7fb4e79d6dac02a3f3e8df26d3a1ad5000e1bf419f4698010a

SHA512
4677c8c515ed30629f6a16aad7658946e6cb5a982e086edc273b92059168a40ab6860e55479cbc80c0fc85bdbff9fbcc0313a391292735621a5b0d9a85461b5e

Download Submit