a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
Size

2.6MB
MD5

e1133590309608d2310f9a298528516b
SHA1

5573c3d74a3e88eb0c92b1c1149be829742f7d1b
SHA256

a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b
SHA512

3cac9657cc96b39dc3533b3305ad65326b6d706050c192b68942f46c583e4c950a8cd30aca5c50dab12c839ed5bde8fd6ad88d35a30a8ff62787016c6f6f4807
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpRb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	ecdevopti.exe
2736	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNV\\aoptisys.exe"	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintL0\\boddevloc.exe"	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe
2780	ecdevopti.exe
2736	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2780	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	30
PID 2144 wrote to memory of 2780	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	30
PID 2144 wrote to memory of 2780	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	30
PID 2144 wrote to memory of 2780	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	30
PID 2144 wrote to memory of 2736	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	31
PID 2144 wrote to memory of 2736	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	31
PID 2144 wrote to memory of 2736	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	31
PID 2144 wrote to memory of 2736	2144	a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe	31

C:\Users\Admin\AppData\Local\Temp\a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe
"C:\Users\Admin\AppData\Local\Temp\a334a651cc4a036e464c6aa525397e6025e08375d15fef347634e167a5577b5b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\FilesNV\aoptisys.exe
  C:\FilesNV\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNV\aoptisys.exe

Filesize
2.6MB

MD5
f16c064b21649878a401f70a8e564219

SHA1
68b4f74aa3cac72f708438763296e180ee421f86

SHA256
2c31f9874def023c42bc9f8dfc729d5a755eb33bf7ee41c4cf925b8b06453965

SHA512
86e25fb056cf423966d322100ea7c1a6983f9b63b8c46080db0e3352d39ec7d304abc07c15729ce0d86792e1e5d3029af397711519f08e69d58071c99517cef3

Download Submit
C:\MintL0\boddevloc.exe

Filesize
2.6MB

MD5
ff0328d35f89cce5c3d3dcbacce05bcc

SHA1
ef785a4fffcc926108d5ebc1dbc8d8449fdf4556

SHA256
45680fdf2851403dcaab3cff8308b6c08387b4c4ca4e7739bcc7f8de34a8b611

SHA512
16cdcc224818030e399ec0e13f4f1b38ccd870cd921b2880f9b20c5855679414f03b9ace84587014425b7aff09337e7f409e0a60cd05c9b0d7ed717c65bfe0aa

Download Submit
C:\MintL0\boddevloc.exe

Filesize
2.6MB

MD5
24c4b00dc01de07d47307b451c4aa5e8

SHA1
c85b35cbaaa6b505e36a440c302830296aac71e9

SHA256
62249cdc066f21a81c0473aebd59107213de9dff9837bf11bdac8bf0310140d2

SHA512
641abe44fd308802623cf9d4b400479e4dc4afdbec6ec4d7d9811761939a8239bb958ce038ecc3473f80407a2b7866d99a73baea7026c3b64aaf4a78cdd4f0c6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
d2039737848a72dfd63d3a3605ca448c

SHA1
dfe9c73b18ee0ab3a40d7739257040a93d227e7a

SHA256
4f99b5ad67e8618f0f5af6a28a97d6e1547d5c947c40873a3178c3ba94b9b038

SHA512
e68b7b8a1a407992d013b614007a3747050232fea896d5bfe7bb57d7b9d753cf82f6737fca9ebb7c372b2fd78028f6cea9482195d0b2768994a931099484557d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
0f727b6d321862b89a1252f97131832f

SHA1
3eb1c36ee12600f1f0185e78ccbd1059ff5cb0fe

SHA256
91adcc2b54b51408335bfb0eb6a325cfbbbabb12d496c1d9d863de25a3714c4b

SHA512
93f5414fa8434bc778a9ca8c530e519a18bfde1cbbd81cee664432fd895118f722007a2c28caa027649b66aa5698126c67c786700fdb442923403da6bfd004fb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
7f419abcb082d55c276c66dd3c805938

SHA1
e9f63338f1e556e2b798303faa5812dcc59449c8

SHA256
df4df27768d349a7da4e02808f9137b186518bf0c907e60d250910fac1c569c9

SHA512
98cdf6deda963a04616ec15d8cab7f5a1740e6bb23537b84c8055713a7859d764f309f4ee7a39e903d1fe5f6ce2d2d981f89af3a6deaeb786206ebc2f031122d

Download Submit