77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Size

2.6MB
MD5

0375775bd6458bc3b45ee5d1897144b1
SHA1

d7cb4fbdbb3e20524646ae1e44a0f69e87a19780
SHA256

77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4
SHA512

31a297db3acc37ccd9e5b120576520d2575624c91fccd297f2cf5bc2bc635b9fac3b17f315a302d525890003d3519b261bc0e5da6c02d1c510a40ba5311e0fad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUp0b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	locabod.exe
2684	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDP\\aoptiec.exe"	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTE\\dobdevec.exe"	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe
2788	locabod.exe
2684	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2788	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	30
PID 1876 wrote to memory of 2788	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	30
PID 1876 wrote to memory of 2788	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	30
PID 1876 wrote to memory of 2788	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	30
PID 1876 wrote to memory of 2684	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	31
PID 1876 wrote to memory of 2684	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	31
PID 1876 wrote to memory of 2684	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	31
PID 1876 wrote to memory of 2684	1876	77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe	31

C:\Users\Admin\AppData\Local\Temp\77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe
"C:\Users\Admin\AppData\Local\Temp\77b27b25c923beb5832ddfb1b0b51c42266264efb74c2f8485412605ce3ab6a4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\IntelprocDP\aoptiec.exe
  C:\IntelprocDP\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDP\aoptiec.exe

Filesize
2.6MB

MD5
fc379d07bac35b3454d5187e5d9ea766

SHA1
bcb2081cd92388ad26ab5f56144f4f5a396ef86f

SHA256
eb8ed4a902dcd25f809d43ce5b7e99934cdf6f48fc58422f5219f7226c8592a6

SHA512
c14c34d4524357a408ff39b35e512a31659478e2eb949844f5340ee5010e0b7b144812f86d1417140e4c2770b47aa2de5c8763dc4af54326799302fddc6c3263

Download Submit
C:\MintTE\dobdevec.exe

Filesize
2.6MB

MD5
6d7e13b626d0e89a142a820ef9cb6a32

SHA1
e7f77a2878875a0e2c2959404cf8da94dd33b3c1

SHA256
c80f79289f5452ad644a63f1d567874f06a38c97a025b952dd656b629149bb8c

SHA512
6c3fab30bf236adfdeb100980817c1a0f680c4ec09cba48f7cb351f28b6249dd4ed7ac81b08ffaf6c9591aa549920eb34e1a660f44ecef86920a3fadec73ddd3

Download Submit
C:\MintTE\dobdevec.exe

Filesize
2.6MB

MD5
cdd193b29fa7b7e4479fe014ef6009f1

SHA1
90a634457ce6f93e86a3303f064310e7640c2de9

SHA256
0bc4114469a8a0ed43e60b5c6533d31d1b167b2ed58367b2af3a313775440ffe

SHA512
951b76ada15341f61d4e9f2ec0902c98765ccb7f8254820cb4dbe0ca7948d9e860576e1f810b9c4338c274ed23838148ebd1cdd7a87a7e496fc41a4abf2f3812

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
8b1bfb12d5d60139f0314d060047afab

SHA1
c7f77cbe776f97f1ecd7e1cce9465370be3bc8ff

SHA256
bd1b31981b6447b02dd9a28047c0d666b1984045c75a5e6c35f2ef06c0c79fd0

SHA512
cb8a10aa1519b774a8480fc12cf839a8b829a318a0e88fd9be7fe146dc6ca0cc66a5645ed0bf6a505b2e1f1ac285c85af6ef9c0541cc6cbc6cdea6c531f554f3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
f46069d12cf0d1b7d0e1e71c658122c6

SHA1
064fa4b27bf88d4e0ed63e96c0127028e0b7c031

SHA256
354acd9b091ef12c65a3b9bf1b5b94744d76daad6cf47784c9aba09f160ce0de

SHA512
5177055a63b83cff3c87549e6db03aedf3a18553b69c0eeb759fd1965b820736abd5168da392b8b69910d524116bfeb216e530362f87dce49aa807f6aa7d13ac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
e7cbf489921c387deb56a07063fbb842

SHA1
59bbf0cf847988b45506c22e3427a6ffa806bd77

SHA256
9d09ad103a5f8afbb8332b47d4391916f40edd1286cee1a80e3cf3d3303bc71c

SHA512
70d367f36115dded53d24fb81c1df9371ccaa0bced4689fbec2e965834061d47b5f2cc240631da31deff7203b015d973960d338626a28be6d064b78bcb9f31d8

Download Submit