Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
Resource
win10v2004-20241007-en
General
-
Target
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
-
Size
2.6MB
-
MD5
8b8953477fc1a7b1c477705dac753fa1
-
SHA1
5d8eb49842577eb6a65efb20538f7bd3ce921abe
-
SHA256
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987
-
SHA512
7ae486a1db0324e9afa38ed98256e59a23eb92806fad29352c7a211f7ee8354350982e6a72147d9ceca164c4a0b21658aa58bc53b3fd0d530f173814226a0681
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe -
Executes dropped EXE 2 IoCs
pid Process 2348 ecxdob.exe 2836 aoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH4\\aoptiec.exe" 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax53\\optialoc.exe" 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe 2348 ecxdob.exe 2836 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2348 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 30 PID 2480 wrote to memory of 2348 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 30 PID 2480 wrote to memory of 2348 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 30 PID 2480 wrote to memory of 2348 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 30 PID 2480 wrote to memory of 2836 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 31 PID 2480 wrote to memory of 2836 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 31 PID 2480 wrote to memory of 2836 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 31 PID 2480 wrote to memory of 2836 2480 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\IntelprocH4\aoptiec.exeC:\IntelprocH4\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5881b44e9c4c7d641a48b98741755d22a
SHA19209a66b4240ba99c65144e8b2c49b20a524dc96
SHA256eee65d8ac29c18cb321742a0a302c0eb9e5895599eaea69ba1fec23bfafb492d
SHA51260ac77096914af561c4e706c78ee7b811abd8b82093142ed71ed549d25f3620ae7aa4f99e1294f9a1aaef5771c5f736ca0ed9b7ca893674b6831ae1f02d56095
-
Filesize
2.6MB
MD5c84c2b623d2bcc3904ec141ac0690abb
SHA1cabf8a3a013522ccead3bd1790ce5a2a2ebb2422
SHA256436b4c7313dcbae554a30ff4d72fb06502b33e7ddf0ff8a4f3d1d2a6418b69d8
SHA51201cdc18d890af3ca96bbf31f4efdae8ef85ede7d68139ab5e0a8694d2623c2f482d91b1ad99cdb966efad16a003788ccafbc543e4684fc5ba77398ecc7171c0d
-
Filesize
41KB
MD59388e57ebbb164d5da77d8feb692e28a
SHA1b42da051aea4b078bc43d7da99fd80d71913921b
SHA25655916fe98ea4c5992f2107885b71299bdb2a3b2deb4dd643272e8eeb036ad801
SHA5123968aaff78df58acb63d77ea4f77e4c8849eac43e0deb8bf2e6ca5c2d14d91d559edaa135ad13afb487838fdb82f8a16020d95bac4ccf941d79a3c8620efe400
-
Filesize
2.6MB
MD585571bda80171ae3c4a346580e4a2055
SHA1eea0e5934a756363cdf560e456cccd7434569d9b
SHA25602680acc39a51c9ffe2de44210c55ea86acd065d7b82b90ae0ade57f776361cd
SHA512443d5fd94b9feb6633705a63e27852887230136bc8a507f43fe3635b12bc5b65273c2b539b404ced846e037e8a87f2a3d17c83aa4ee796214fb4130f6a8287e0
-
Filesize
173B
MD5c0d5a9b3cccd7f1df7d9e44cb0fac432
SHA1ead410751c4fd1b5cf9684b8021cf7ed9cb0ccf5
SHA2562969a387ef31091fabe461ea28a1779acdb93c747fa4cbe5f8d5ea6df1a823b1
SHA512045fbeadeb37c72a2d35dba58312134e73989c701bdfba20ad7bc978d3ba1418fc8af9ad09adeb1f4d3263952a45f4ebd08a0ac189d447e67223f701faddb28a
-
Filesize
205B
MD582283367fc8a0db4a423581ff57e59e3
SHA10fb673c8049b0ed065d9b130968ddf8d9051d140
SHA25656442c4b71cf38d16ba15dcc7fbc184bc2e9fb179dec5d6d2e57210d1e6ea0e4
SHA512e60c71fe7b34671f3ec16992e9916837de8de87b0cf45a7e08e8bca4a0929be8d3722a7185bc442a968a2a037215ba0335133386df0641485bbaf6265ef7748d
-
Filesize
2.6MB
MD53fd06005381c363f2d49c1d0e4b13ca7
SHA1d28e3890eb2f475abd3357c5ace7106b11ecbdeb
SHA256595b3232a346298938521d066330453a4795c4d0c9a0a9382aac2c44cbf02fdb
SHA512b80a879672899e9f5f0c9a6a95c8c3bf36a267ff501d4010517886a73d25385cc5686f70a6de32eab729b4bc487d61ff0b2fde8c1367f2f5294e9d4cb7f444dd