899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504

Analysis

max time kernel
118s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
Size

2.6MB
MD5

85214b013a30a30ea2fd9d86276a0830
SHA1

370891830afd0cc8a3f1869d077dc668cf5d8a30
SHA256

899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504
SHA512

925b0be12f62233e17a1928defe4ebc35a4ff62c66c93c9c9e0f39ab902674f9c8216b39f0b67c0801d826f1367a493e0521badce45730a621c88d4cd5fa1bf2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

Executes dropped EXE 2 IoCs

pid	Process
1824	ecaopti.exe
3032	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZN\\aoptiloc.exe"	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0M\\dobxloc.exe"	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe
3032	aoptiloc.exe
1824	ecaopti.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1824	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	30
PID 2524 wrote to memory of 1824	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	30
PID 2524 wrote to memory of 1824	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	30
PID 2524 wrote to memory of 1824	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	30
PID 2524 wrote to memory of 3032	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	31
PID 2524 wrote to memory of 3032	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	31
PID 2524 wrote to memory of 3032	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	31
PID 2524 wrote to memory of 3032	2524	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	31

C:\Users\Admin\AppData\Local\Temp\899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
"C:\Users\Admin\AppData\Local\Temp\899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\UserDotZN\aoptiloc.exe
  C:\UserDotZN\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint0M\dobxloc.exe

Filesize
2.6MB

MD5
b950e41d78676d4bccefeacfb1d7d61b

SHA1
8e97256bf3806a1f90b7e8d8060a42b9c1672c50

SHA256
0d1af2e3dd511084e17a9070560d7ce5d24c4d7f9c9f19f9a9044087a67c7ffe

SHA512
6cf744932d68ece36d08c963f432c092a2eca49624e8b0e9be4fd308d3e1b4b1b5880b27652e26b6a8402379d50b779d0b6fcae3e83219daa578f9959e065749

Download Submit
C:\Mint0M\dobxloc.exe

Filesize
2.6MB

MD5
c7265b183a6d8aa708123a8f78135f61

SHA1
aa099f10272ebc3fbd56034471889dddf5b5eba5

SHA256
e3ef333981e0f00911e5013c5ea2545ab943075a3b44286ec49e4245e1bb9c8d

SHA512
bb726a7ca2ce38ef5acc7295b9e40d6496c13b3e950980b1fd00fc8256116bb14a8c5571fc6a965b81fce94924d8d8e11994650d77a4bfe77a32432f8952f499

Download Submit
C:\UserDotZN\aoptiloc.exe

Filesize
2.6MB

MD5
fa01ef52b2801427d699e3eb5cb5f0d7

SHA1
f3d09ebb1aa074a33bb7e67b60dc9cb51c167f24

SHA256
d6270be67e0225fee872218071dffee086187744ec9c392d349952ea2a1a0ab8

SHA512
aa19c6808800d98e69164318183fc213dbda0b519f0589be60f2ced574cde8af373a012978c8afb766f1fffb0bbab33914ba02dab94ce43743008cb58dd7a5b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
2db8c308b77cf742df9ab3dbf6f45cc4

SHA1
3c83812865d06f969b0d6bad9e04726006c1a03c

SHA256
4bef9b80faf3efdec7fef3083353b60ca960fc5f687d54eb225cbe63e740b50c

SHA512
a4d064458d780cb1969d0f70cb9f64ed093b8defde0d22911fa7ac35e83485b17105e558db041d86a5900c8c98b9a4ccd11bc485c6160bd3eed630f5491f1d57

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
67487ac50c3f61a1d53e59e6e7c5cd83

SHA1
1c0b3d50dc1503e02a398457892563be89230b39

SHA256
74f646705dbfff6b5e37365ccb99db4788267e6716c1cb7f6e38a685f96a2c0d

SHA512
7f4fcabf133d1dd4c6bea974141fd7725070aa78953011f50ee45eb25147ff5a919c592387346a97d98eef95b51ee2ca2d4d751776db542e4489c03f88d820de

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
3d9f76e269d84a4cc28f8ed3d44e2a5a

SHA1
b4016c93aa76c566bffbc2c5fb69f5cdc2264b2e

SHA256
ae773e17e1cb2ffdd5691abe062443519cb7286029fc29d9cd6efc7985f6810a

SHA512
4ba5b4bc13db902b4624ba8abc9de6d46ca188b4cfa7a2f45f605840e8c4c70bfddd8b9ab5488bba185976126ec78a87607390ac834ef4b4ecdc7fc075902ae7

Download Submit