6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
Size

2.6MB
MD5

81bde41239fc38898b304acc8b77c758
SHA1

32a178c52383813fac646102cd0951e2d051dab6
SHA256

6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5
SHA512

88628ba44d9f8562975a4c8b3bebdc9b1e07ca3fa70963105df78f892fe9a0c19adbb506b02ad19fbefe625f2ee91dc198a65418b35beb8a5f54fc28fc714836
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSW:sxX7QnxrloE5dpUpgbn

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	ecxopti.exe
2944	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS5\\adobsys.exe"	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAP\\optiasys.exe"	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe
1992	ecxopti.exe
2944	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1992	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	30
PID 2332 wrote to memory of 1992	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	30
PID 2332 wrote to memory of 1992	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	30
PID 2332 wrote to memory of 1992	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	30
PID 2332 wrote to memory of 2944	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	32
PID 2332 wrote to memory of 2944	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	32
PID 2332 wrote to memory of 2944	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	32
PID 2332 wrote to memory of 2944	2332	6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe	32

C:\Users\Admin\AppData\Local\Temp\6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe
"C:\Users\Admin\AppData\Local\Temp\6615bd5c88c83a8ee2c982922502c7a7539d20f5fe109d6e91c8f696a4f4eba5.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\IntelprocS5\adobsys.exe
  C:\IntelprocS5\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocS5\adobsys.exe

Filesize
14KB

MD5
5ffab038d17d47771c031d3b701e0cc5

SHA1
74d331d26e5210e7e523c750b0080e1641bb61f5

SHA256
1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

SHA512
fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

Download Submit
C:\KaVBAP\optiasys.exe

Filesize
2.6MB

MD5
8ed09c15797455b6175396e6cd63df90

SHA1
105307c75cd8082b5ebb482fa0d5bbb1ca0e3f67

SHA256
8c7b21fc41116ffb55a73e2034b9f4caf7f0b3af876290a8987c59c2e67daab3

SHA512
00024aafe1b85a019bfc7dd2fdb13f8637f45857ade00752f2bb7fdcf84c2fdb4796c0f387299a0e22d3959f8015b408e3a6e8ee8a1d7d0b52710c0d4ef482c9

Download Submit
C:\KaVBAP\optiasys.exe

Filesize
2.6MB

MD5
4edbe79a3da8dbfd63f23c2fa51c4584

SHA1
0bec339a57b9d1bf12d448dfa91bbde01bdbb493

SHA256
785b9ee92d623d6d359d88f699b14ff870157770f314ea218fd087813c1dd3fb

SHA512
bace9ab0bb93431d8468bc55ffcaeae959ff6f7ea736d2c6788095a569725a88b4b186c3c502dee025dea3ed2d5e343b37c64a1d656b0d9e9867d6ea1554fc29

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
5624797d6b16a24d3ad5da0aaa15b70f

SHA1
98051d3a7f2d955c37db7fac10bc3884de4ba1e7

SHA256
fdb0d5e642ee82d9f4a8e6d71e6321f9939d31c868c489207110bca2e48a4aed

SHA512
4a7d3a48d71935d2bffb043638f4c615aa4b946e1a22bab31568385acd409bb573ecae2d94412947bac3bd038e5a3226680750b82129f1020346de1727256492

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
d4763e4dd1f6d57d7d3dfa937a8cddcb

SHA1
687a73ea48b8c85bfd97e57fa4f938ac0852248a

SHA256
14a020f05451f66cd36d0bdfb698c7ce533ddb34f4fd86a73e4062fed9c3b62e

SHA512
52f9d7cd4d23c2e27eb3c92bb7939eae91ebad55e5b6bf6439ad9f421872b44e2df95692c7ebcb4757ac1c976397b3eb85c7b7d8eb64500516fab36160d34010

Download Submit
\IntelprocS5\adobsys.exe

Filesize
2.6MB

MD5
21355d3ca92e387dfceede0c77d3098d

SHA1
a72025e7a85d734afba327cc5667e2fd1f2374bb

SHA256
e8226cbd23438c60f6a79592b0c1bc2717f6319be51a67bf2ecc2653932ede8b

SHA512
fbc4d629780acbfe52acff4ebb912b00cf276ccf8fb9054e63b48ea899a8a4320a45e55caba8e1bd6f5588775efc6230493f9862e98b66ecf25175cc3d992106

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
d8acbd7a8eaa9ff29f15b82cf7f18e20

SHA1
8d903ab445f77f5f3f6bc887d2c36e16d528e28b

SHA256
37c9c376956a8b3755cf0dd5a9410b0664720bb3c355e4b23c43c37823d61f90

SHA512
c91df5acb7ae834f1b72dfaa1d301773c23de94ef9f184ca9d449431e9a2eed174eec7d23bc91c1250bec6d2f91b60b7b3269bd5bea01561927dcb78bf0ebd43

Download Submit