4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Size

3.2MB
MD5

2ae47c0254e12328439773266291591f
SHA1

875bcb35f471b563d29c20c158382976db45c612
SHA256

4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f
SHA512

1c10705fec833da091e29127da74eae64c32fd5db4e69506d106945e52f06799b6e9aeccfe2de8fc9d799a0d81ed83cd36997f82722da227d44137bd591f98ba
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpzbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	locaopti.exe
2612	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRU\\aoptiloc.exe"	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCF\\boddevsys.exe"	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe
2792	locaopti.exe
2612	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2792	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	28
PID 2980 wrote to memory of 2792	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	28
PID 2980 wrote to memory of 2792	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	28
PID 2980 wrote to memory of 2792	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	28
PID 2980 wrote to memory of 2612	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	29
PID 2980 wrote to memory of 2612	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	29
PID 2980 wrote to memory of 2612	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	29
PID 2980 wrote to memory of 2612	2980	4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe	29

C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe
"C:\Users\Admin\AppData\Local\Temp\4a39cf379169f48f6ac414f11ab18089ba2b3b725ca67415e1a9e5bd255c431f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\FilesRU\aoptiloc.exe
  C:\FilesRU\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRU\aoptiloc.exe

Filesize
3.2MB

MD5
67b95e73a4d736fc7a6a49180814ade9

SHA1
1b87771d386e80461685b1ad4c6f18c44770762a

SHA256
df18342a074bb7238ebec31f6d427187349f6eb3ea2c68f8589985de57cf02d4

SHA512
e982bff86f4ed7985b0d20e05cc72f1ebea39e7231c8aed5272c4a5a04ad1ec9be2bb36adc3aa62b4ac49e14d2845f5f8763195182830adebcb6eb7d2dff66da

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
8439936fbf847c372350f08749042a3a

SHA1
31ac799ab24507ae144f2a0f25a2e557d7d5997d

SHA256
d1ed21179ee50a12162d5ce6bb5e7b7c1b6d35e1d2914b64ce36c493cd45e06c

SHA512
029e98c577ae00409dd1fe650d1d4d27463fe96231f227231d101280d5f67d08d6dbb2e2891af34ca3f26ad4a048f629d1083296c9f1b42c10a31e60c542e589

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
fe4f955dad115cd5640aa92ca44aab40

SHA1
12970dd8c073cd333be276349fc7844343f17e16

SHA256
b06cab0de0763f7ff0a0acaac643450a9c8f9763ca7c74ce4f4ffcd210e1d6f2

SHA512
5725bb8336d09cac49ef5cd52b9f6e2eb50a08ba27902af241601d6ed6ed3edf6bae997d15e45f882c0c0a77b9447e120cfc44d01c1911620da1136b79b5b0b6

Download Submit
C:\VidCF\boddevsys.exe

Filesize
3.2MB

MD5
086b44764e499426bb6de2408fd696f3

SHA1
b6fd6a9cc2731943fff6a1a8f2f226e2850d1abf

SHA256
b740af859e422be8130a83b9173aabbd574ca372405abdc8d55397f551b78bc3

SHA512
8301e8a802487ec2d3d0e56dcbc76c02e3702498d1b340153b98e20c832b35366d43a23fb66140cc4bce2c4ee6b1f9a440c666200b6fc0c215b0709d9fa7fca4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.2MB

MD5
0a52995860c24418f552d13131a5ee02

SHA1
b39929b797840c1faaf5fbcfe08116345550f158

SHA256
2d473026f784766a5a53ea9bc265930962235b7303672e106909a00727f42133

SHA512
a8b8927e6a3e5a836148207f631c276d6141169603fae30687a7b6484ac8d4e0363fde43c0eaddfff5d363b3856c0811a6af89f48e326477d8129a9a279baaa7

Download Submit