17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Size

2.6MB
MD5

0914143e1282401f23d0b5f072f8ee60
SHA1

cf2df366c40c1e38621da27eae9bab47a80d0f80
SHA256

17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152c
SHA512

3eab0f2f6f75e3b65f01a245cccef81463d06d8bc4b507dcc2a525bed07494ae1c2896561c5994626eb53b867e4c5b9a4e91bce7ea346f9d07b4fbcedfcaebc4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpGb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

Executes dropped EXE 2 IoCs

pid	Process
4436	ecdevopti.exe
1996	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot22\\aoptiec.exe"	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxA3\\optiaec.exe"	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe
4436	ecdevopti.exe
4436	ecdevopti.exe
1996	aoptiec.exe
1996	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4436	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	82
PID 3368 wrote to memory of 4436	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	82
PID 3368 wrote to memory of 4436	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	82
PID 3368 wrote to memory of 1996	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	83
PID 3368 wrote to memory of 1996	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	83
PID 3368 wrote to memory of 1996	3368	17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe	83

C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe
"C:\Users\Admin\AppData\Local\Temp\17c98c66fee3afc7b354f73cfbc63d62271fc7b93f3f2e26277035451471152cN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\UserDot22\aoptiec.exe
  C:\UserDot22\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxA3\optiaec.exe

Filesize
15KB

MD5
62f17a18e2665228331086e6e938bfcc

SHA1
8e2aada25ef3eee33045d7c08ce27d04adfb7da4

SHA256
1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385

SHA512
0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3

Download Submit
C:\GalaxA3\optiaec.exe

Filesize
2.6MB

MD5
4799716ce306afc8b5e3191497749ec0

SHA1
65d9c573dc86b42a759b9366fcab2a0684032149

SHA256
fdf7b30191b5665d26f0c1e8227767986f988951b9dec8243d10f01de9777eab

SHA512
4d0c050f1fd9fd71374d9321cddbf6a898f6fe24766771a24eee13fda1b7131f428035d6cb110b1cdaf83222780bac01e501aecf2c0071888179f13e5c989e9a

Download Submit
C:\UserDot22\aoptiec.exe

Filesize
2.6MB

MD5
3e948c2ef9ab67ba841d1e91a38135ea

SHA1
76b766a449d5fd51a086778ef03cf8e2301088ed

SHA256
79caf06003d61775282b0058ef80e4392553dda4a42d3ada32d121da406a2e85

SHA512
58e63cca90a53d09a15b3c9fccef9ce938b0f59e7881288d16fe96a06ba460c53943d1bc08429012a38ea2c2e078382a54c7ba94ae6282ec97b37d64401f6e6d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
8d0cfb4d58fde24c07ac4da2cfd5d5c9

SHA1
7651913a4422b1558a71fad26f3f21caf7b5f5b0

SHA256
6d6c15e7fb80cbc6cb34fd4df91344d20da9950e7805e37ba6ea31cee5c5ef43

SHA512
a2d6a78d7355026d4204dd32cad24e10a1874b1f377d2b55d8b5c4b599c04d6a148c794f5cb9553acdf68428b41d4d04bf80cec7f29aa91b226342e8c001c011

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
31901043fbc8afaf8e91de9caf068c1e

SHA1
54e98ada0715d01ad9beba3250c1991de5563f29

SHA256
c4ab7b31a9675d3f54b04d90a334e47423afa47a89a4642a91a52cf8232c2ac1

SHA512
450b033310d6d40a26dfce0fc26c38e91a603b295d8003ee1b6da47feeb7191795ba792088e86022fc9ee04ce459d882b493020edaa46739f4d6984c37fa2ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
1101943adb9bb7b4175d672006d91b1c

SHA1
83056904247dca68d54b39752dec20b3d86865cb

SHA256
bac8cf6c5c162fa0da8f6397dad2428675a8a804e373701076f36f828100d0b5

SHA512
ef8fdeb5444baca1590b60020844ee937ea96c47008d8615cf099ec82444e0c0f29ebc6f1167f029ca70c155acea4b954ba6320fad7f1da9a603272f534e92cb

Download Submit