98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
Size

2.6MB
MD5

37862b8d08be0d8b3e5c24bf546f045e
SHA1

94586846c58c3ea3fc036e050b151f90617dfe8b
SHA256

98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a
SHA512

917229846f2fc8b109356f66d58915694288001d86eef6243f82c2ceea42cb7764d4e3f9cba0f33cfa13d5b67f00a08642d4ca800e151636bb35c00aa02bb583
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUpDb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe

Executes dropped EXE 2 IoCs

pid	Process
4796	ecdevbod.exe
4988	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY2\\aoptiloc.exe"	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXM\\dobaloc.exe"	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe
4796	ecdevbod.exe
4796	ecdevbod.exe
4988	aoptiloc.exe
4988	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4796	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	87
PID 3872 wrote to memory of 4796	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	87
PID 3872 wrote to memory of 4796	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	87
PID 3872 wrote to memory of 4988	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	88
PID 3872 wrote to memory of 4988	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	88
PID 3872 wrote to memory of 4988	3872	98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe	88

C:\Users\Admin\AppData\Local\Temp\98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
"C:\Users\Admin\AppData\Local\Temp\98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\FilesY2\aoptiloc.exe
  C:\FilesY2\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesY2\aoptiloc.exe

Filesize
20KB

MD5
2873fb57ea06e0913c9b5dde7bd73c2d

SHA1
c2794b886d0f3c44e805ffe343756fd81b5c87ec

SHA256
08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

SHA512
9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

Download Submit
C:\FilesY2\aoptiloc.exe

Filesize
2.6MB

MD5
7a5dea309bcd26f7e269cdc015842efc

SHA1
47862e47e6b91d6356d98ade14c1f02f0523dadb

SHA256
b11112d26e56026623a9b99c50c34937612fcb3317642476c76a43898a9d5364

SHA512
59eeea85933dc53f1405370713edbcfbf85cdfa6c77cf021c53ca099658880d35be3467321100093a6f542a1b96a3b16bcf9d1e0b99acffa10edfb5bad28bf50

Download Submit
C:\GalaxXM\dobaloc.exe

Filesize
19KB

MD5
8722a447f61ffe9d22d59fd0342ccf10

SHA1
826bbfbb0ed172381a61dc1904ae4ed9c90d02ae

SHA256
e5ea5445b1355be949760b8d3409b4aa831b521e8828d60b254e6c91b67800de

SHA512
2dfe8e4a37d48d578fb19ab4c43ba773635f285acae7f154930f240179812021c46c16eb3a4fa7a846e4f8bee98eff71eceaabb882cb45162a223ea0724956fa

Download Submit
C:\GalaxXM\dobaloc.exe

Filesize
2.6MB

MD5
9f56cfc9dcfa878708613d03dc035d21

SHA1
77019a2b0602d0e67c9336ece12976afdfc47aee

SHA256
2e6895fcf67defca9b7539b29dc520126b978ca167575902f55d2310d3d81596

SHA512
b085870d92168d1505c65212fe7faf58b3322b2721ef269146f2314884735ad358574ec850781822be506a628a5d3ef3b110891c33b3a22b31410bac7ae9baae

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
4b50843ad70fee194b9eeef952e487b9

SHA1
0d138af89a29d8744473d2af4c4ed1bf81c4b874

SHA256
1855bd1729b4a97c3ee3062dcb87baffdb632cc6d9976d258be99eb86fa30724

SHA512
58ff80447471ae3e679e0546d478a6bd1222adac7a69b6a81e37a9ef8381b422ab90a9e0dc1dbe6343176c830b006a2e8cb36428e001b12f4f63b8831c05cc42

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
176038954c338528799747579280ac33

SHA1
4208e734d0479a0ac1a8dd9b3075d4d1add87192

SHA256
7276c10f396210b8347efe2bfd291dc7b37bd33746558d8b53351a8528a8742f

SHA512
2462813d0d90c766db58b16d67e48eea4d60105c8f19ff15a615ec3a4a8c3ed2fed255f5b62fc288e52f9b1a35dec64230c22d7581eafaeef7691542d8fab091

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
d5d303b167949a0b106fd55f31b7fdcc

SHA1
30463b18a84ab6fa943946a68d770fe51b96c15f

SHA256
eab2509643621a5eeb09cdca0ea28cc2e4feee707e26dd96f2265ce058347bb3

SHA512
26544d2336b4e515766c558ded575e2ec58742426a7211a9469c92cce54b93d29edfff79098d7013016caf17f3bc5e76e6ab597a1beca4c6ff4e75cf608db3db

Download Submit