b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
Size

2.6MB
MD5

25b4f1a8eb7daa211729244ec61caf80
SHA1

e8c87ec86254a51e0e6ac2073ad96ef7f19661d2
SHA256

b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31
SHA512

2332d2ef2c251dc2930634e3b71d4e544d4669d7946d29e0af5ac8500a6ff1922f1680cd326d7df773162f24f0cbcf5ec36870693a85603e16777d214be2d658
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUplbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe

Executes dropped EXE 2 IoCs

pid	Process
1508	ecadob.exe
2904	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5S\\aoptisys.exe"	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZV1\\dobaloc.exe"	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe
1508	ecadob.exe
2904	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1508	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	29
PID 572 wrote to memory of 1508	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	29
PID 572 wrote to memory of 1508	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	29
PID 572 wrote to memory of 1508	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	29
PID 572 wrote to memory of 2904	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	30
PID 572 wrote to memory of 2904	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	30
PID 572 wrote to memory of 2904	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	30
PID 572 wrote to memory of 2904	572	b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe	30

C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe
"C:\Users\Admin\AppData\Local\Temp\b3c5e452781999b7b3941a1122de1b510ebe801ed9c2b9f8c9f1b1fce29aba31N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\SysDrv5S\aoptisys.exe
  C:\SysDrv5S\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZV1\dobaloc.exe

Filesize
2.6MB

MD5
058ca5140c6663471a7b053b40794292

SHA1
e055958aed787b2c3994474f85bd129d076f77a8

SHA256
4e5e8b832e3de7b30193e854ce056c29a1b4c1ced192c5ad963f4eb259d28c49

SHA512
e0b5636d41dbc9ed0875982607ac323c1ad20cdcfd6547b5839491b5b80bd26bab5920987d411816d202ecc325ad2be3fda7bfa013e01b18b17aa544c9ced0d6

Download Submit
C:\LabZV1\dobaloc.exe

Filesize
2.6MB

MD5
43b25c1089273c73185163277e9aa2f4

SHA1
02bd97abec41d8a5f450ab4cd3b2cd3a6a64f51d

SHA256
4e83de93275f47b576df369014451f611e139362591e521b9c9b8ad1f2e819d0

SHA512
c0f9859eb3f8014d9f051e6484eaaa46af32261c3704eaf861f6317e2f1f50cb5a08c0ad8d5f30ff1afde531ef210264384c8261477fc753c8548a369c00a59b

Download Submit
C:\SysDrv5S\aoptisys.exe

Filesize
2.6MB

MD5
58f84fb0108526e0265e5240ebed8373

SHA1
0915ba32f8ec1596ef07f5cd5e8c44189e37f7b8

SHA256
7fcbfe4f937f7f9b31fe1f2c063ed4807ff950af6f9ee62c7fd3295a3a5544ba

SHA512
07c08483715faaf5503865bc697fdf3d3eb4e36201888e74e9f78cd57903eb5f5524839ec904d510a1d4d3c7c9cd8cb1f9823a7d273bf7bd4ab4a1c80179a53e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
8ed65cc9ff0ed5f7b0feba49ee2599b4

SHA1
6dff4988675a688bc5b2bb0c550b97b1b7d18ab0

SHA256
eeed2fbb764a870ddeba01377999ee1e3456372a25acd225c92ff89c5c380b50

SHA512
5a62fcddb3f24c6066da038593d21194304892e4771aad96d961baa8b0df4f23a5a4d880162f7347e7a82eee1605ae1e0030e772b6d353480ae40bdf20b45085

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0a009cd90194c66ecbf0ce0f1724cb9a

SHA1
603556e2551e9e7e2c56c2040bc745d7769790d7

SHA256
664ab732752e78ee3c88a2323f4a27ffc770a2363d362517c47c53906e2f9357

SHA512
fb01255b4c41f6f37d95ad813f5cd1a72c48fdb1b074506874ab43842684610f2c7bc3aa45c36f2f8b8c6635fd66e3f77eecd441358ca66b123d1a4dfbaaf0d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
061cb31221c571147f3b41ab85b5c57f

SHA1
dd9478617c4b0de3e3dc389773519554426144c3

SHA256
f9c66285fb9ac0e9fff1330d81b7a24f5dcafc3f3bf4048624fae81a711e60f4

SHA512
ed2ff76e0690c0bd62a67cdb2993da70e2d0ecc13da00ba13aff90995d4fc6f4661974727103685d83c614771ef6bf06e2e4d3bec9eb22925555bebb6fe1e692

Download Submit