3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
Size

2.6MB
MD5

4f4f8fdb971a1615625451923e92979c
SHA1

1ab18abc1f5a84a99c8f117b0292bf8e7ee28c2f
SHA256

3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4
SHA512

21f5fb1533d702605985468f3aa73529d5aa604d550e251c12467341a15a1a56007c3152e26c14d196eb4c169b47da0f0935019db62729200286e0f4fe7a9b32
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	ecxdob.exe
1868	devoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKE\\devoptiloc.exe"	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFM\\optiasys.exe"	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe
2176	ecxdob.exe
2176	ecxdob.exe
1868	devoptiloc.exe
1868	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2176	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	86
PID 3352 wrote to memory of 2176	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	86
PID 3352 wrote to memory of 2176	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	86
PID 3352 wrote to memory of 1868	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	87
PID 3352 wrote to memory of 1868	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	87
PID 3352 wrote to memory of 1868	3352	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	87

C:\Users\Admin\AppData\Local\Temp\3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
"C:\Users\Admin\AppData\Local\Temp\3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\UserDotKE\devoptiloc.exe
  C:\UserDotKE\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintFM\optiasys.exe

Filesize
2.6MB

MD5
5a0ad201d70e80d95e2b55f142d51baa

SHA1
f3bf060fdeb37c60f639956d0c27b98e3a7950bf

SHA256
bf8a647ce49691d0d724410123630d9a3cb173c1fd28a8d2a3aad2e1b4e75d3a

SHA512
aa6e385e297d82569ad752fb10124a0ead3f9f7bd9ceaad4a8a1ea46f662f0b462164d393ab9b15367ea158dbdfad1956c0cd1ffd7414fd80ffba94cc1206783

Download Submit
C:\MintFM\optiasys.exe

Filesize
161KB

MD5
54760489354e9730377ea11a4bf34f31

SHA1
f2f81f321b75db476da54e33ca205d8e4c16a1f8

SHA256
55ea3fd9600875dd672494cdaf53b55584052bc76fa586a13e788a8ef55e16fe

SHA512
ff17aff6e3dde18a502560deb62cbf69175841a28c271715378bc35a2b52e4b954eb3d5856c425a48f36a56856ce4c9fe69f9d9a73ca89f47c1c6f02ede89b38

Download Submit
C:\UserDotKE\devoptiloc.exe

Filesize
2.6MB

MD5
bc3afcb8a560bdd37d21ff70901b4bf1

SHA1
9446145d422af65159b2976a83f9f852eb70576e

SHA256
078eef48d2b4950fd01e1e39631eb2ea991c8621683d823e5f8aad6a3499c5ad

SHA512
113b4ee31cc2a26c05db08bbf82bd5e44b7fc44cd7da2d52ad2fcbab16d6ed13110b3ebb0d94d92ad01303d3a8cc725104d1dfd03da54f760bb0970f6e718c91

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
250baf6c6d95ff9c87579c18e8ad5af2

SHA1
83dcca6c84451108e3b28c40e93c204c33eb6ac4

SHA256
af0da09ce6662384f722a63f1582a86f3f8fc1c033a85d545b3a53fde03a4c7c

SHA512
142614db6d5278bbc3de7afa21a112514e191b23a15ef4be2fd29453c8e352ca6488109583ea6568910b518f66d3f22f980cb5ee5e430d4e1d875a0cbd3cc2f5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
02b87514ad517268a6641a1badb3415d

SHA1
7144dd647231aa97ec070a17be5fe17e5f1747cd

SHA256
d08e911ce5139bc51a0ddb6de6686babbdf76d73a8ec46c744a10970da7134fa

SHA512
26e41ae2ddbf188f9565480265d0d6ff23f5cf119cfe9f3742f7d8003fb905655286e3d1548ffcd0e2a81bb52268a0e051fd995878859eebb0a73aed147a9b99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
25116194be303f813a9b18d681483384

SHA1
890f2f1b614e7efae21cb2353aaf909cc3c4523f

SHA256
e3fe7b77b446627711fc998686df64b64c89e893024b5b2da1ed4bbf1ab61ae5

SHA512
a0b7969f81c8faf5b17937146e7ce7ec84014e0f1dfc5301d5202957028081e83dca518c3652197d771106b567807bc11f2938b39b4af22daa14676a74aad941

Download Submit