67e3fb3193427369cf6cfdc2084a95ffde2ec3b8d739fe5a1f8d45bde8ce377d

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06835cff0c4a008d639c5d2747284940N.exe
Size

2.6MB
MD5

06835cff0c4a008d639c5d2747284940
SHA1

06979f10baa4ac7e38e651c5b2faa3347f19afef
SHA256

67e3fb3193427369cf6cfdc2084a95ffde2ec3b8d739fe5a1f8d45bde8ce377d
SHA512

36ecef71efbded860ce8229a479579a3e86b060d4669fe62a11a3f6281eb191d66b0efaa6906c3b57f9a1a0417d57dc294eccbfe9570509cf21c841f3502ba9c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	06835cff0c4a008d639c5d2747284940N.exe

Executes dropped EXE 2 IoCs

pid	Process
3924	locxopti.exe
2064	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK4\\aoptiec.exe"	06835cff0c4a008d639c5d2747284940N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFR\\boddevloc.exe"	06835cff0c4a008d639c5d2747284940N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06835cff0c4a008d639c5d2747284940N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	06835cff0c4a008d639c5d2747284940N.exe
3428	06835cff0c4a008d639c5d2747284940N.exe
3428	06835cff0c4a008d639c5d2747284940N.exe
3428	06835cff0c4a008d639c5d2747284940N.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe
3924	locxopti.exe
3924	locxopti.exe
2064	aoptiec.exe
2064	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3924	3428	06835cff0c4a008d639c5d2747284940N.exe	88
PID 3428 wrote to memory of 3924	3428	06835cff0c4a008d639c5d2747284940N.exe	88
PID 3428 wrote to memory of 3924	3428	06835cff0c4a008d639c5d2747284940N.exe	88
PID 3428 wrote to memory of 2064	3428	06835cff0c4a008d639c5d2747284940N.exe	89
PID 3428 wrote to memory of 2064	3428	06835cff0c4a008d639c5d2747284940N.exe	89
PID 3428 wrote to memory of 2064	3428	06835cff0c4a008d639c5d2747284940N.exe	89

C:\Users\Admin\AppData\Local\Temp\06835cff0c4a008d639c5d2747284940N.exe
"C:\Users\Admin\AppData\Local\Temp\06835cff0c4a008d639c5d2747284940N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\AdobeK4\aoptiec.exe
  C:\AdobeK4\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeK4\aoptiec.exe

Filesize
2.6MB

MD5
f61e92cabba8204f003cde773906c98e

SHA1
82bd82cce63dadf535c637ad1c13163ec6e18934

SHA256
9e7fd8ef4898f25caf7993dd91e45f0ea2f6ffc0fab10b41474c2c8ada9f2cb8

SHA512
2502dbcf02d00a450d292304522a7cfe502ca2014e3d144fa8d0630d371654f9ff19e70bf5064c1938f6edb0da5d8dc3ebe17cf935dcf7a75f67f45dc2d1d522

Download Submit
C:\MintFR\boddevloc.exe

Filesize
2.6MB

MD5
9b03ab87524ff239299b46b642e54dbf

SHA1
2b045055968884d9ce9f6ea8d014ea115b16d5cf

SHA256
c044e9f52cbc789019399f14220c17d6962b8bca72df8706ed14b2e4ad772f55

SHA512
237a0fbbd9795379f72d7309ba7dd7fe44c92065bc6ecf5c4ab8020611f5cb42a61ceb8328016a9b4e58847a006e7ea8d91b5477847873889ededa75e3c28ff8

Download Submit
C:\MintFR\boddevloc.exe

Filesize
2.6MB

MD5
65bdedc2f270fa0542f341a8661a5215

SHA1
2b74d24e3776ac5e9045454e33d1d3424da6eb49

SHA256
da9d094ee3b77b055129d811e4ef44247aea075e950242db91d1864a219a9b55

SHA512
eb188a0a2783bc395d1e657f70b6c18286f4faff917aa0c83af270bd1602bb17d34a4862f5ebc353273e302a2903252feeab34a9754e5a8b58a5131d8762d4a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a846371aa6e633f259f09df0ba7016f3

SHA1
712d4dbec5c3de0e2e073458c1d4fd7a4b78714d

SHA256
13e88cb686431fde9d59adc4384a02092cbead45347287ccbe8816a89e03f92d

SHA512
0b0c621c54c77a4c10df22f2cd46d9a131181138f56547c98a4b512741d429a06c6d146fe9bb98b08f0a99560cc52a38bca8987f6082f1847171c57b8f2bd1b1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
0970ab8a23ddc3e6fd06f06057c6dfa9

SHA1
8888b15c97cd1a8f1feb2e500fce643626e5e999

SHA256
7e4d67a586baf87bbd9c9b28bbc33b66089d352e74dd10815ce5ae93f387ce58

SHA512
2c3904961f7f53cf5880d488ed3935810ed1bb2787d52cca00e5173fea3bcd365e391dbdfcf59da83e14e05eef818ec0f0752ed598b2278470994a22161f587d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
44c7c10d4fce282af2f3e836796ed60e

SHA1
ace8c5a27671f5717d57a0298254050218af4abc

SHA256
0cde8693ac68393181f364144d4b06aa16fbe60377baadbeec50b1a7dee026d3

SHA512
0a191d9583d496ee0e3c688fc17918e74b860b4f6388d6353ec6d35fdbb2f33d264abaf592a9b89fffe4816df7020d353a037d85b674b0d38c87a780c14a4268

Download Submit