ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Size

2.6MB
MD5

3e38cc57d56864db00de4ffed702c1a0
SHA1

5e8faf9126e8570be101fcfacb4d3e36e864b2ae
SHA256

ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27
SHA512

90688a4095a636cf9b7eddecef000e32061f1afd19f44e706db99000152b243b4e477400ed0b271b45741488872cf1c57f16abf712b66e3e8f71980af8bac4f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	locaopti.exe
2608	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMM\\optidevloc.exe"	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHR\\abodsys.exe"	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe
2632	locaopti.exe
2608	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2632	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	30
PID 2200 wrote to memory of 2632	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	30
PID 2200 wrote to memory of 2632	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	30
PID 2200 wrote to memory of 2632	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	30
PID 2200 wrote to memory of 2608	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	31
PID 2200 wrote to memory of 2608	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	31
PID 2200 wrote to memory of 2608	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	31
PID 2200 wrote to memory of 2608	2200	ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe	31

C:\Users\Admin\AppData\Local\Temp\ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe
"C:\Users\Admin\AppData\Local\Temp\ed4802945ebf698bc3f4f5fd2b781dc8129a64a67240447ad575bfa06861dc27.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\SysDrvHR\abodsys.exe
  C:\SysDrvHR\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZMM\optidevloc.exe

Filesize
2.6MB

MD5
51e4d53b25b72d0e8b423626136b3c1f

SHA1
78ddfadf7cbe2f47847ab73293bb63099c845196

SHA256
af492222b8fd4d5a9f053a9ef7f5cf33ba6bf623bdd26792dc96f30ec7cce7c0

SHA512
5d7e5bd6ae0067c2712bb4db9fbc1eefc1a37295a3291656ad160b87c91ec838ca0ffaff7ca7aeb4991367c9ed48e0f4c71cff5bd44b87c05eaa886f058daab3

Download Submit
C:\LabZMM\optidevloc.exe

Filesize
196KB

MD5
0c29802edbe59f477378111584f8d666

SHA1
376d441ad17af1ee864b6f2e79482f92f8507f13

SHA256
d3d4e82e3f29e1b74e06b072832d88cd17061426b16c6cadf70b2d8f1c080f6c

SHA512
539cabac7dfe858dffaa3226d9414ebad44f39c61bd1f803964cbbabe39c0429fdde470f93e443cd2c6effa38771535cba240b9c5fa5a1d7876f434193381815

Download Submit
C:\SysDrvHR\abodsys.exe

Filesize
2.6MB

MD5
8502f02afe73170d93d610bd28567a3d

SHA1
69b2d43f75253b5e15a47319d6416a4f3c66807e

SHA256
96fc8e50af696efcb39c63656800afb5612f8f17b95f3587c86dbc2661f05e19

SHA512
a8a91c78439c5f9af74623ee95d60a1092f221a70934e8267f8705545ed96435a040fd678a4ba87fe2a042ce17b9b47253d442747e336dee35137dd22a161d0f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
6922d023678b1058e21280b1c91e42bb

SHA1
86f6eb45cbdfdb146871e20f3cecff8e55902e91

SHA256
756e034bc938d0a2f5d5e5d9572f2f2d75b4f715b0ec4ec7145598c938900903

SHA512
ef3d136f60bd1de18e04e5cc7c9f59161fdfd70655754f03547113a05f579c72d70b650e23e5fe05ad455a623d1bebb8b37d924092d87a746550c4871b7af77a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
ad9da0aaf7efb58127bf1a19d24f22d2

SHA1
b38d2e1772494fa0f510c6efa54bead49f61337c

SHA256
0d367ebd215334a450f84a59ab7ddbab78aca0ea43e7bb86b3b9ec9508a82494

SHA512
2d6ae430b94c38e631444bf8641ba34f83312f1e863cc8f4207a0c5aaeb0fe49a0781662054bc51455512d74c0eaca96864cbd536c8f05237144a6bdc2dac971

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
886b06c3b5753385e80a2348923c497d

SHA1
f29128731a936d4e0c05ffa8881bf1907a9f1110

SHA256
813a3f06dd1a52f3a900401a63cdee811048f4a45fc6dae286eeb05e5f2f7f58

SHA512
905bb80557c9fa342aa26c4f4dc7d9e4bb4d302a60954f37c27975c07c58691eaaf830de2d135e0a51af5b16270a145aab6aa95c66d782c09ee429cabe32f62c

Download Submit