61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
Size

2.6MB
MD5

eaf73216248eb5bf8c4bf038c167bae0
SHA1

81123e78ca52f1e9c8da7c9827ee419236e8e079
SHA256

61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12c
SHA512

cb41710239cc8e35279a75d6d1803fe6255f75e5ae8e3388f42895f1e7539629fc44a0e2a4ca5f708bb255cb996fe8e3a00162c46fad27d3b12523eee2938dd7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpDb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	ecdevopti.exe
2224	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7U\\aoptiec.exe"	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN6\\optixec.exe"	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe
2448	ecdevopti.exe
2224	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2448	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	29
PID 1456 wrote to memory of 2448	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	29
PID 1456 wrote to memory of 2448	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	29
PID 1456 wrote to memory of 2448	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	29
PID 1456 wrote to memory of 2224	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	30
PID 1456 wrote to memory of 2224	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	30
PID 1456 wrote to memory of 2224	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	30
PID 1456 wrote to memory of 2224	1456	61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe	30

C:\Users\Admin\AppData\Local\Temp\61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe
"C:\Users\Admin\AppData\Local\Temp\61ee421c5e6049a3369f30887c01f95dc9d484580c3df7497ab746a2d7f1a12cN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Files7U\aoptiec.exe
  C:\Files7U\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7U\aoptiec.exe

Filesize
2.6MB

MD5
cff9d85dcc4cf18b596cecb6b25b1027

SHA1
ada15bef15e3516b66c3b6e9b74986c553a76d4c

SHA256
634fd23a53f457b652f2bd3d37a3763629f101a9b50b14bc9bd67cede3a3097a

SHA512
bca3ba8da8561f04f3aaf8793ffc382b14d3938945aa4804237a0c435555b5a4f181aaa0cf17940f93828c97690a500561e6545e13cd896e2c1537debd73e1eb

Download Submit
C:\MintN6\optixec.exe

Filesize
2.6MB

MD5
357c422dd73c6d3dd427cb61213c5558

SHA1
f6b33d253e29d3d3fcc0996cd7f2a2c18fefd726

SHA256
e2ae58695deeeeabd9a7caef24816958c3677cf865a40eb736811ed9f3f32397

SHA512
0623d575418c8f2b80dfeb3b214698db45e665bc136692eb8e9a61115843938cab550fa965cfae8c70a74f70ab67b673497a36190b89c709086eced21507924d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
4dbc0fb7086df131b6256366786a39c6

SHA1
c7eaa82e459e1856b17cb267619bbf3b407f38a8

SHA256
2d0498f10600bb04f14487ca3e39f47589b75399129ddd25f7b54308dbcf072a

SHA512
865270003170eb1710e63054cfd89cf9d92b8c2503cb7c5a38b36a2415bb9bd3796632fb91c3d0aae490cb63d833565f94ad0647a1380aebc6564923a8eb1cc9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
f2a7a909864604a8bd3daa3772bacd10

SHA1
569b54d67d666a8d37d8a231b94ae350ee728722

SHA256
8fc97dfe1c0a4f8042ffc9d6dadd02dddfa4e547154d064c576a165d75e748e8

SHA512
aca4a5f2d35dcb6e869b422e710b557efe388962fe20ca7254a0e73080b870eac80ed5549b0e6e33dcb673e6f96b59f8b788adf5cfabf718dedd1cc873e96fdf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
ed5011f111933e89bd0b8966f13165b7

SHA1
24cf7e03253904070ab03107fdd3b87f6141d150

SHA256
097eca43161702bea4140aa0549fee2588b5fadb6e4e380b8c7138be59e7d35c

SHA512
89574cc870d0e78c4d2e68c014b24bdcce6cc754bb00fe72de72d18139cc91fd84eca00f33cda01a2fea1ea2634bc1dc975bb57a5f575a1894b107d561da518d

Download Submit