39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
Size

3.0MB
MD5

7c7b963d7e22420de6f994faeddd2592
SHA1

d351cea4bc167e371e620d06a704e59f88d65db5
SHA256

39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e
SHA512

6e4b22c9307d498f5718ddc25a60307ff7ae4808066f10439ef08f3d8ba2cab285f61a9032bba23f40d6a49b3b795fd05a8f30693a9e7092d26067550bb41e5b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	locadob.exe
2148	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Q\\bodasys.exe"	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXG\\aoptisys.exe"	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe
2900	locadob.exe
2148	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2900	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	28
PID 2860 wrote to memory of 2900	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	28
PID 2860 wrote to memory of 2900	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	28
PID 2860 wrote to memory of 2900	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	28
PID 2860 wrote to memory of 2148	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	29
PID 2860 wrote to memory of 2148	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	29
PID 2860 wrote to memory of 2148	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	29
PID 2860 wrote to memory of 2148	2860	39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe	29

C:\Users\Admin\AppData\Local\Temp\39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe
"C:\Users\Admin\AppData\Local\Temp\39b4dc636c83bb84fe898843c7f2c0c37cd1f0233d86ef6b0c47bf60affc624e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\FilesXG\aoptisys.exe
  C:\FilesXG\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesXG\aoptisys.exe

Filesize
3.0MB

MD5
992defed2ddc7a52acb6a9003b006f7a

SHA1
84d7fed7428186cc872c5c4c1e7ea834802ea917

SHA256
9f189c7cef40907cb30b816e900afd337f07237627361150a3359551f7406ef9

SHA512
4a74145badc6969d964f007b55c975fc52df892aef39268e11e7e373fd9fb76cf68f1a0e1c4050b28485ba1d7ca39bac8d8f11067bd419a6fa6a68721fecad50

Download Submit
C:\LabZ4Q\bodasys.exe

Filesize
3.0MB

MD5
a12ddd667caef5a6ed3f530884bbf04d

SHA1
72edccbb2bee280700fd9b37fda5ff44b855bdbd

SHA256
f7347743134254c8b45a05e1ede1e5738f030c528c1983dca101b4557601c78e

SHA512
98f4d8b5ed28b295ffee9e2117e924cf44fd9d0b0893bb20e0547584d2d3ccdd0136eaa64ffea8fa7785dd2f848fccd3035578a31902f6ac1bc1eb3126dca0cc

Download Submit
C:\LabZ4Q\bodasys.exe

Filesize
3.0MB

MD5
8812866f3578915dbb6c00060224eb5b

SHA1
4ca6144c2e3e363e6ea54071cc4a672d063c86d2

SHA256
e756050a0b19d6d69fabfa20ae99a46618b7fb2ec846ab3f1e0eda70ec87a920

SHA512
030964c32482f366a55d1a825b4e45090ccab1ed9abd28b7a73cf689049df209c033db3ac4178810f5b3cd6d87eb30ba9db8aafe9975267c0c38b388de54e549

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
372e577a94efbed36603bbac803b092b

SHA1
c310201cc8b43930659f5757c81e6cd5f0f0c2cf

SHA256
2cbca2eb94e76b372e39dd12a75e007bbc5914b6a1f1d15b90a56ca3d5850245

SHA512
556355d059b82086d040cd647888e5dcb1cad511bedb23bf68f0b39a3f81445c76340dc31f236b4c7fc509dd0637d177d6971eb4ca0c87f898fb88adb4c3809b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
58dfb79221dab3c79dfa3fcc8453c9e1

SHA1
d849c7751c6e4399512a40cfbd794c951db994e1

SHA256
0743161dc5034db1eda92b1f3a2e66a7df808e1d2da465c4f5e58aaff6e4a0e1

SHA512
784c05f73269e0d971768f9b4ffd20e60437cdd684e3c76da3f9fa36868a28ccb02f222c47daa8fc65542956bbd52edcd37855ea3497aeefaa47442b4b35f676

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
28064d8b4b6ec0d813448478ff590f8a

SHA1
56edebb0d292dd7e5cc1d44d836fc07ee9364ecf

SHA256
e6ada1c7aae0ea14ebb2ad09ff88f2e822185e17194bad4547fa08d038b24c88

SHA512
f831da87cbad9e74618edf025a74593e9342314faf282cf76cb6be767c6ffdd58209c0f94ee39d70011640fd2cde1101f78ce21758f581d7b1aae20e112772a3

Download Submit