939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Size

2.6MB
MD5

6bb121390b50fdb90586cac15271ae90
SHA1

fe9c4b5178f8342590fbff83dc3d79c157f73cac
SHA256

939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2
SHA512

26ce65865a1cd704f93357cfabd6593f2b5299b7a822f04967f945e783414469f863795264c362afc06112422d84012db63630704f01fd5375097da1dad38173
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpvb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	ecxdob.exe
2532	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH4\\aoptiec.exe"	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax53\\optialoc.exe"	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe
2608	ecxdob.exe
2532	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2608	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	30
PID 2632 wrote to memory of 2608	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	30
PID 2632 wrote to memory of 2608	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	30
PID 2632 wrote to memory of 2608	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	30
PID 2632 wrote to memory of 2532	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	31
PID 2632 wrote to memory of 2532	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	31
PID 2632 wrote to memory of 2532	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	31
PID 2632 wrote to memory of 2532	2632	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	31

C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
"C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\IntelprocH4\aoptiec.exe
  C:\IntelprocH4\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax53\optialoc.exe

Filesize
113KB

MD5
ca420f759f7d3a8d47a4b0006ec027cc

SHA1
7b77b159520c00a151f25d8aafd395d389bd00cc

SHA256
ee8dd697378168224a687006c2b7e68becf20ff753b05df7588838155ec30b83

SHA512
bb0e6f3502b2a63a60ede9471ce9a5d0a1f5ba764d20fdd61caa1b30f4294eef0d7dac2d07ae6748cfd6dcef484be26f2b3372504ee45e03dfc32d0c5e428c30

Download Submit
C:\Galax53\optialoc.exe

Filesize
2.6MB

MD5
c84e035e3a527684ab58e6ab7e11f50d

SHA1
280f4e9e0eb439d992d3ee998776c23c855a134c

SHA256
f4ef89bc08b00e20db27ce66b53b504b60c4dcffd9a3dac3038a12dee26249d5

SHA512
dea8df6f27f270e3a44b8be39dcf1f7a095375327482ca9093179bea4084f45e7da69d8f8ed67ad44b2971800d446316c6c29c74b49f10e36eb2139e6e42a672

Download Submit
C:\IntelprocH4\aoptiec.exe

Filesize
363KB

MD5
17029bae576bc3196a1e53080fc42d47

SHA1
2b27c0893a69c3b2017767dd29bf9c3aa9cb5a05

SHA256
1acc91ffbdd3a63aa2e5191175069ad2fd4c56e427e56760b44b4d5373173826

SHA512
67d6f224b9c9bd98d5441e276169d2a95cecfc58e3d7c007c272381c855b5f07beb1f3ea703da89cdd639188d3e1295e14c2959b56802365546e4929a41c770e

Download Submit
C:\IntelprocH4\aoptiec.exe

Filesize
2.6MB

MD5
6add60636f3e14245b17b3002b5bf560

SHA1
78f217a62a1e15d710f9256a0723ec41e794fe87

SHA256
9c1f3129840fd215019286a367b3926b901174c63c4afa61d5d86d1751522d78

SHA512
8383ee267d8bd118c0220caabaac6cf391fad8b18feb98782bcda1d1ce3ccbfcac6d1c58b24348e01157d0d309f809e0423aed1f7100a856d7d548d97c699261

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
c0d5a9b3cccd7f1df7d9e44cb0fac432

SHA1
ead410751c4fd1b5cf9684b8021cf7ed9cb0ccf5

SHA256
2969a387ef31091fabe461ea28a1779acdb93c747fa4cbe5f8d5ea6df1a823b1

SHA512
045fbeadeb37c72a2d35dba58312134e73989c701bdfba20ad7bc978d3ba1418fc8af9ad09adeb1f4d3263952a45f4ebd08a0ac189d447e67223f701faddb28a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
82283367fc8a0db4a423581ff57e59e3

SHA1
0fb673c8049b0ed065d9b130968ddf8d9051d140

SHA256
56442c4b71cf38d16ba15dcc7fbc184bc2e9fb179dec5d6d2e57210d1e6ea0e4

SHA512
e60c71fe7b34671f3ec16992e9916837de8de87b0cf45a7e08e8bca4a0929be8d3722a7185bc442a968a2a037215ba0335133386df0641485bbaf6265ef7748d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
a3c04cc03f1e79832c0590f6257b3f42

SHA1
5fcc173f8f20c852e58b9e30174d31a42158cc70

SHA256
88121e74867d33459dd55d97fa24c3e911c1b94c5cacbeb50ddd3cae4c310ab6

SHA512
267592600cd51aecbf33487a7970555c6fea0403844a88182a4a85f7709671f40e7e8137f27fcbe8bb4775beca97f08b8ec6a74e3dbccca9384bdf97f0889776

Download Submit