Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
Resource
win10v2004-20240426-en
General
-
Target
5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
-
Size
4.1MB
-
MD5
a26b0c1f30402f8b97054ea100d4dd51
-
SHA1
1af814ab4eb518cf8916dcf819a680f93390fa8b
-
SHA256
5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094
-
SHA512
99fa76ca41d4f33999416b6256c6b839f71b4bbacb826d423f1dbe2b06f6adf1ee761970e13bba6b3de051e045bfa926ba01123d02160d26028924722b2ac8de
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe -
Executes dropped EXE 2 IoCs
pid Process 2644 locadob.exe 2676 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\aoptiloc.exe" 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWP\\dobdevloc.exe" 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe 2644 locadob.exe 2676 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2644 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 28 PID 2264 wrote to memory of 2644 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 28 PID 2264 wrote to memory of 2644 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 28 PID 2264 wrote to memory of 2644 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 28 PID 2264 wrote to memory of 2676 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 29 PID 2264 wrote to memory of 2676 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 29 PID 2264 wrote to memory of 2676 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 29 PID 2264 wrote to memory of 2676 2264 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
-
C:\Files7F\aoptiloc.exeC:\Files7F\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5c62540e7a8eed4eee2f01312d2097566
SHA16da763d1f1c49ab85861cca3144b2c5398326987
SHA2569fdfd13e01e781458e9cdbb169e155ad84bf01b9e09d511035db546c0b70874d
SHA5124d70d5476564b3b5485e46b9e5dcd37096efb276115b7cc265f4ded6a35d255daf792811ae6a9a40eb64ddf51853e875c712be509ce77ca1838530a5ff246146
-
Filesize
4.1MB
MD5c7d39515d485ee8e720ac84bfecf6014
SHA1095e90cfabecd39a219dde693613a9210410b3d9
SHA256533af5b0f3359f49af5521697fc3778cae9b00616e66e3fe0bcacdcbf019461e
SHA5123ae77d6c0f49bd9fecbc4797e684ec50a9230645a07a3f95ef79eff026e2f8101f2fcc6000fdec57c15def663a331756465f42b7a93160c462d72212d1c1965b
-
Filesize
4.1MB
MD5df175b00734e83b413e4c41c7ed14028
SHA1a45ae8b388e818195046b566969c4ea27272a9be
SHA256fa11131d8e2806f4f4562e7c31e32d6b8bbac0f0e0908db58e489ebbfdcb1c09
SHA512253cf3918622d496119d2c15c19a02bf4f2c082306da3792cac1d52f9d20adf76f315788ae791c4c574b6cb56608c60c7810dd1b60b6d46189b80d157c853088
-
Filesize
171B
MD51137aff61d3e35640787d47fc3dd3f45
SHA1fce1559eda37f49d9c4d399cd2dd030826864545
SHA256e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b
SHA512a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79
-
Filesize
203B
MD56f886862188a350a00ad2f6efba62573
SHA1d453b1736e323936c824193eaf91e13626f0e2ee
SHA256b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff
SHA512fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b
-
Filesize
4.1MB
MD510c059b545b42df16c732f425068d56d
SHA160ddaa3ef16c7e069bac6ff2ec9faad9c95f82eb
SHA25623ad1cbabbb7d44eb17e4236b64e82d2db1f3283c41725d778b7a7359ab52c8f
SHA5127eeee4207a19155efc069eb1f011da7b4f5403283bb1b22a9bdf89d60c33b6e5f080a007f1b57d1c4ae8ecfc34b18790384762c91581d8f1a25208f07d0cac2e