a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
Size

4.1MB
MD5

87e2e0e9dedc36ae42914373ce729ba4
SHA1

0dda73635c64f8b120101fb686fc2a6ddb1d03bc
SHA256

a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56
SHA512

1267f9055585f2bb60977ca940673d0c321588f721ad50cbae6132ca50dd014896fbc9be0f7a46c87a3d08250c225a8c24a503da37bda39beec1889987c98d33
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp1bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	locabod.exe
2632	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKG\\aoptiec.exe"	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJO\\bodaec.exe"	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe
2268	locabod.exe
2632	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2268	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	28
PID 1084 wrote to memory of 2268	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	28
PID 1084 wrote to memory of 2268	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	28
PID 1084 wrote to memory of 2268	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	28
PID 1084 wrote to memory of 2632	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	29
PID 1084 wrote to memory of 2632	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	29
PID 1084 wrote to memory of 2632	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	29
PID 1084 wrote to memory of 2632	1084	a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe	29

C:\Users\Admin\AppData\Local\Temp\a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe
"C:\Users\Admin\AppData\Local\Temp\a89e03b838016effd482a6872d9ddbd3f79d9fd5bd58db121141a41398a27e56.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\FilesKG\aoptiec.exe
  C:\FilesKG\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKG\aoptiec.exe

Filesize
4.1MB

MD5
2997e87e0fee18c7a861b87760da5121

SHA1
000f316c85fb46b181afbf2622e05cb0bd9cdb9d

SHA256
55706f94cb190437b9cdacdde8a3baa19b97d3d1628e9ed013b07d66ec003c16

SHA512
d30da772be8bb9fca1c8acca830d2aabfa84d11e5e3e146e8e00f3f4cadcfb658a150157b1e30aa6b4b0759b4913c47c232bc8f17150072b6c8b07185b66bc6d

Download Submit
C:\LabZJO\bodaec.exe

Filesize
4.1MB

MD5
e9b6c83906e24a615456ece350faebd6

SHA1
404a964a7c2c030c8799a6da3b8dacedcb50044f

SHA256
203441ab103cd6c9818af199c750a883b8917d59dfb44b9154bbb74f1f22c24c

SHA512
7fb4a68ce5801eeb9c8ce68bf3b9035315a261f784a19697e3f32e13faa58f0f7c9c6b2d6e17d9e742c14b25098efcacc1eb0e8244bc5a156edfb64b39b451d9

Download Submit
C:\LabZJO\bodaec.exe

Filesize
4KB

MD5
7b41954bee8856da62ef57345adc3522

SHA1
11b72bcd158990287c7502b2d89a500dd528be97

SHA256
53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2

SHA512
6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
41aa8538e9fc1ef3cd3c94ace6551716

SHA1
8127f8b1385ffa1f3e0719c9f600fd4390310487

SHA256
f7097f88b12399aaf2c3b9f41da125b005704b3310616c20d5630105945a3251

SHA512
5b59fb7d48d181586046b72d009ca30dd68ff3852e0cafd082c993f0f8de76dce1e6dda0874d5100c7fad6cdbc90aad4046884685540279768f840edeb93aa7e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
72f8288e9192b4a1967b2cd280c777ff

SHA1
994a134b6dd551dbd29b46ee72e0a9ebf9dfcde0

SHA256
061cb4fe14e3e9fff65fa0028767d89f6ec54073d1d1c6914c5ebf254a178bd9

SHA512
563ed8b8799c4b7ad89fc2e4e68000e291b2a6a7d9dc4a29ee67953bbf880ebe02c6c03d7f6ecfb5039d09a942a5a7aeb9be207796bdccfb650f10c1df86c98a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
4.1MB

MD5
56a2217ad4fad7af3f04ceb2a4fd0a87

SHA1
b094e242c1d3d9e96629d0c2936fbd6108d1467b

SHA256
0965130437a54d87d369f5005ad068ea14ccfbfe6cc35cd84c153a10afb63073

SHA512
339b7e2308ff40aa565c7a2cc2cd0e9ba4408c8dece15295ab6bd96c59a23ff44d32d6c47b8a9f9ad121c6a73900a647e2e17042207cd863763aae2d526558b9

Download Submit