dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ec

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
Size

2.6MB
MD5

ba57559950dd5309f78fdc5de6696580
SHA1

fbae08a37991b06e9bea548db683ba3ef46bec54
SHA256

dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ec
SHA512

f3349d9bd84722c6dc56acaf9bbc8870735d4cb3ef0a43d6e407303859b28107d98b91aa1f77d74f6c8302663778f9d796ed5bd1c4a71d3dea9eb474d7065188
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe

Executes dropped EXE 2 IoCs

pid	Process
792	ecxopti.exe
2324	aoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIA\\aoptiloc.exe"	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHO\\boddevloc.exe"	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe
792	ecxopti.exe
792	ecxopti.exe
2324	aoptiloc.exe
2324	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 792	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	87
PID 4860 wrote to memory of 792	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	87
PID 4860 wrote to memory of 792	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	87
PID 4860 wrote to memory of 2324	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	88
PID 4860 wrote to memory of 2324	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	88
PID 4860 wrote to memory of 2324	4860	dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe	88

C:\Users\Admin\AppData\Local\Temp\dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe
"C:\Users\Admin\AppData\Local\Temp\dcb10916b5fdb009243e513d8e29475ed17872d6a73e6ff3b5130da250c343ecN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\AdobeIA\aoptiloc.exe
  C:\AdobeIA\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIA\aoptiloc.exe

Filesize
2.6MB

MD5
079fcd9ae060013affd46066c4658f87

SHA1
f09e3acb8671a8a148de3f3a8a3d7accf54720ca

SHA256
72c2fbc6aa8124652cee8e1eb42ddbeb984cba1e20605d1188e1550e84481d84

SHA512
287d7e8f0be5e4a8cf82e7a99a9204c702dfd195fb6baeb396310880993e8b357834eadb6763441667aae9e60629e902a085f51337938810833459b5c21b9edc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
1c3659ef53c0966a8b9869fffbde70e1

SHA1
ea6b94de65ef31e4ee4b01bde6d1b60e494ee2a5

SHA256
977c6afe9d084ff92edd85c7c927740679145d85c5af15e5f7c2e70f40fa7136

SHA512
1e3ab30f9349a4d3bd9c1710e9dbe0ae2047981f20073406cd1bdb2b1bd28d22069fe200778cc83e03fc16070f3b264e5885c49daf64c296003ede69069af06e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
fb9e83cf4073ac8bd7cb634190a02771

SHA1
deb64d09ed30c12ff364ce7114313f0478f59859

SHA256
7e786c4c4e11017aef208c1731fa8dacbd45adf1909d6ea31f1f3519a9b76949

SHA512
4f196fb8d7c4dbbe1b09502f69e9ebcd96bfa794ed1122c7ed4d44b98c86aa6dc5d4e958572878f7eecc15f9b9b04102f825f5cd0de5db006bb3e07dee8ec2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
7060b77e1ea32f1723ecbdff5cdad0fd

SHA1
2ef1736d8db77d8c2cc897a25f118dcd3cfa1064

SHA256
dd7d4f5103cf60f849a8cd9ec23b9ca42538b21eca12c63a9bd08ec71da71c48

SHA512
6838280c138a118d07b8c9ed7e703ecad58e34d0020b173e81242331131bb6ffa0efd4dcc5ffe3ffd8e571508b31480d3a6f1baae2caee9a462825f8736854a9

Download Submit
C:\VidHO\boddevloc.exe

Filesize
2.6MB

MD5
55e332da8a9fa9a95b0a4231c7da6fc7

SHA1
9351e894d03792e0d96c1580d3d13e6bf35aa091

SHA256
3aca0f6be04ac66845c77807cf37972d3db2f320eedd90d502433ff223c0c444

SHA512
3412960abadb13cbdb633151d1e10588ce3b7208407dea1334362f491325dd1ffa1ee818a2c78085f659888515a6d6e3a79d59eefb080010a8ae214b84742743

Download Submit
C:\VidHO\boddevloc.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit