a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
Size

3.6MB
MD5

2ca12f725a468868769d47d28290f996
SHA1

f1eee4694d69a8dcd83a02da7f1bc192e5fa1a31
SHA256

a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c
SHA512

24f6966419e1121c0ff62dece6af0700d126d8634a1084872cf2cda5890bdd3cc0d6f8f47129901218e3b2ba64eb9dba7644c5488e769ca410d9f6ed5a2a1362
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpEbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	locxopti.exe
2644	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2G\\dobaec.exe"	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTP\\aoptiloc.exe"	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe
2944	locxopti.exe
2644	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2944	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	28
PID 1960 wrote to memory of 2944	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	28
PID 1960 wrote to memory of 2944	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	28
PID 1960 wrote to memory of 2944	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	28
PID 1960 wrote to memory of 2644	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	29
PID 1960 wrote to memory of 2644	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	29
PID 1960 wrote to memory of 2644	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	29
PID 1960 wrote to memory of 2644	1960	a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe	29

C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe
"C:\Users\Admin\AppData\Local\Temp\a8a668fdbbc6b39471d3aa983d009708847b09ebf1fd2b767696a8c2cdb49c7c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\FilesTP\aoptiloc.exe
  C:\FilesTP\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesTP\aoptiloc.exe

Filesize
3.6MB

MD5
2c47b49295db21aece03a0692b0d2774

SHA1
3a3dceda508cdd045688f0764171333891d165a1

SHA256
285a4ac9f180b994595a6c10d38d3ad9b8a0a6f12ee09879bcee71061e2c676c

SHA512
66074c5279c61d951861961e3d90554e93a826b1f48abeff4089a6f2f4f3a016890b56cfd8902c34ba4b3a838029818d64eb4ebb1b00831a49e5b50885baac6d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
372ccd44b57490b56d2ddf2e86418f28

SHA1
9085a1b2fec95536fb7109b1506fe058b39c0816

SHA256
e947c64406a673a0c21a7dfe9889ad9918729187260a5686af964e7c4f06ba21

SHA512
4869525606d3697f6db2d346d25864c64c059d4b96a7755a80e682eb2b6feb569d55142d5d67b7baf9a162bdc9924d2be1fc3e0d13d89336142d7dc3e8878134

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
f67dfe72e25bcf82622fc4d4868a28c9

SHA1
10a24f1da546c52afb54f18daa5d3a2a572a7616

SHA256
fd10f892bf1def4db2c924e9678f8c76720459f5d01b38a5f0b2b29932f63a93

SHA512
71685e37652fc325cbb2c4fbfbd3bf4e660052dc89b52c7fb48a340b4253ab14a798bacd04629ff25a9b0c816c04ee507f75224ae4e9a569d526e21e0f9f9bc0

Download Submit
C:\Vid2G\dobaec.exe

Filesize
3.6MB

MD5
c5288daed0c5a48930151f20c1a33da6

SHA1
ed8dc9aaf4720f8af0d8025c9ff870d61707c074

SHA256
2d48140156a52067fd6fdc246400cc1c35ef2c6d2479763924868a85194ab729

SHA512
3f44a7d257fb0598a944b489cb39e84aaddba07377c895db1d8dc7023d0f79807767ada14bfd80bb7f7395e757d76cd48c44b58684827583f5086cb974e15af3

Download Submit
C:\Vid2G\dobaec.exe

Filesize
3.6MB

MD5
776f57e3fb932a681cb13cae281103f7

SHA1
0e3bc00d2aa4b47dad53536da2bffe651b8510ee

SHA256
f5c5928aeae866b2b557e516c1e708bb92a42da4a94f16def1569b8e9e3d502b

SHA512
c6530e681572910d6ee10bab803bf3b149ee60a859c62a2952b4bbaa989e7c27ef02647aa4a59f8acd8ccff3ec862617ff9dacaab59fafdfb64da04013c8faf9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
ff44beaac85622bda5183c3ecc80a618

SHA1
4fad2ccf400a80bfc8cc60f57dd4df8d68fc3054

SHA256
556f75b51469b57ec58942ad0245531db5429c1b26c8ee5d701647bd7e3039d8

SHA512
f0264c0248e1336889478a4e53b4e848f283b0435e9c28d6cb6b861a58a1dafbdba3da2e315befb6f797eb1906ff1dc70938de9c52c007f126b8940a2cf9d1ab

Download Submit