01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
Size

3.6MB
MD5

67c5edb409359ac9ac0022d561b180a0
SHA1

69843324152e93de437387e257f226d3bdd9cc70
SHA256

01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049
SHA512

a5ba84b7de542eced368abae8d590b8aeb4a7dfa93449398d172c530e1107d949168c3548c4057a3b01d079f55ff61f979848fe811d18e7005f52fccc4d11b83
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe

Executes dropped EXE 2 IoCs

pid	Process
2852	ecadob.exe
3516	aoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNY\\aoptisys.exe"	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6B\\optidevsys.exe"	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe
2852	ecadob.exe
2852	ecadob.exe
3516	aoptisys.exe
3516	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2852	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	82
PID 4836 wrote to memory of 2852	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	82
PID 4836 wrote to memory of 2852	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	82
PID 4836 wrote to memory of 3516	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	83
PID 4836 wrote to memory of 3516	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	83
PID 4836 wrote to memory of 3516	4836	01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe	83

C:\Users\Admin\AppData\Local\Temp\01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe
"C:\Users\Admin\AppData\Local\Temp\01910fd4259e65e57ce8a84097c478d60f287641283c514873ed8c767f3ec049N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\SysDrvNY\aoptisys.exe
  C:\SysDrvNY\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvNY\aoptisys.exe

Filesize
3.6MB

MD5
cde63b6a5cf25cabe2398948bedbb663

SHA1
4468a182c8d7418657cd71ef101f63136de04506

SHA256
c0179e1eb9790d260ab8c70ca9d13751c419dd65e33c2e0b7db2c64d9a4a6e7c

SHA512
a3f51e7a3dbdac65d3cdddb77fa35052927f2e49b0ede3605e4f5baeb95f09622f5d3f099fd59d9fa6e06924a5199a3564b50ebea138fa54340f5024acf6df54

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c17db1fb9cad79e7b39484bf19d688fe

SHA1
557471f22271c05fadac41c8be5c4b1456e1edd4

SHA256
ca92270ac6ffb6a95b370664be281f0c3f44e8cbe3c40f3290b524632ad237d8

SHA512
ba23f6e383d6295445da6ba410e6e7ce9511093d8081c314a927a7d7d0d9c7d5c3bdebeee76529104ccd32833747f4178a0feddfae758e8dcc5b26f845ad87be

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
b3fae06a3c5806b829a3ab0c6b80ee19

SHA1
deba0ac1d3ba71ec830c59f357a413aca68b9614

SHA256
fab7962a4021e208443f7e9e44a2b5a599f06c242fdba529b76c45a652e631d1

SHA512
b526f22df12cb48f57127c428d885a4f1254004ca37ab7c9d11f71a9fca0e886538c9e888c16cd81083b6905a3405a1bab7ce2d27ba966b4c5d5750bb604f7fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
f7bbe0e8d70dc1beb805ea97e3e9ab8f

SHA1
7eba0a7c14ede244a76eae60e68ad3491967fa0f

SHA256
346119553657a5853f2666c134f1a8dc9e8a8b5c47e289efd1c4d800d71f1f16

SHA512
98475454e0b2d62d69775c961b0b03a01464ee627edec5c398ee6ee3aef5a6081c34356ead898b2748796eeb971e4209d82c0b0d664669c131b0e6005cf22c82

Download Submit
C:\Vid6B\optidevsys.exe

Filesize
338KB

MD5
2b1a3a8db1d76abc5e0f2b3235ce0e27

SHA1
05758403311470ed8e390174454978c62e70a58c

SHA256
52ebebae52777a6b0b1ac6146f87ebefe3f13737a8b7a1d6ab5f95c343b20163

SHA512
47b5fe598de2aca1717891c335b97ac0f902c363e4cdbf31e3946af2fc1c863d37fe473a9718328613bfc2ee075f554eb18b2aa1f81a58d800785794540bee64

Download Submit
C:\Vid6B\optidevsys.exe

Filesize
3.6MB

MD5
b5035ec80918f36203beaaced34be735

SHA1
e7d8eadfc31cd566b772ecc8562d3cb0b7ba2368

SHA256
f23aec584eba3c0949a3aa1b6f2ae7be04836b8aa7f0017d1ca338beb0802b3f

SHA512
48eba8af9bb88ddca2d30fdd64b60861a6a47bcaff9b7d3791be834b5db021d49cb96a44f2042d9dfa57595b9ee0e653f2be2a88eb0138609dcee133dec17d7a

Download Submit