4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 22:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
Size

3.1MB
MD5

12bebc2e8b7413f50da0baf914cca0a9
SHA1

ff9833f9497c0aab210a4c3c2378d5a20dc5a4c4
SHA256

4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347
SHA512

230e184602627992660b862877953df653e3c50fd8d38650a1aee7c7873ab33569afcdd6c03afe4b37961db99ec2c73d2891a4a26682ba0ad8c5d91559b67dd2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8:sxX7QnxrloE5dpUp+bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe

Executes dropped EXE 2 IoCs

pid	Process
4412	locabod.exe
4652	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFH\\aoptisys.exe"	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6G\\bodaec.exe"	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe
4412	locabod.exe
4412	locabod.exe
4652	aoptisys.exe
4652	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4412	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	84
PID 1300 wrote to memory of 4412	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	84
PID 1300 wrote to memory of 4412	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	84
PID 1300 wrote to memory of 4652	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	85
PID 1300 wrote to memory of 4652	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	85
PID 1300 wrote to memory of 4652	1300	4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe	85

C:\Users\Admin\AppData\Local\Temp\4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe
"C:\Users\Admin\AppData\Local\Temp\4c9e072bc8145d0aef036d1299645f8cca559c4591708474b29f30e1a2ef5347.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\SysDrvFH\aoptisys.exe
  C:\SysDrvFH\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB6G\bodaec.exe

Filesize
29KB

MD5
aedec4c6b0e5bfb94bce1bb80817c9ca

SHA1
d8888798c78356a9f59d73c5b7227eac8a3d3ff1

SHA256
ba0e29f0dfc36a71ea3c2a65261c8cfd2ec2da59ed3290df3be385d38f53f535

SHA512
2e25b0f7a806f50159117897913f424cd75f62e46f214aecafd047faa007c7aab75a96f05f6d27efda1a4a5d84e18c35a5f8dbb4892c3345823d5344680f505d

Download Submit
C:\KaVB6G\bodaec.exe

Filesize
623KB

MD5
a7ab6f4f97ee3acd8f8fd8a48ff56b07

SHA1
31536e4c66a8e9a154b172d2bf57f0962d5aa0bc

SHA256
f559368b3fa8ba9f378c584d9eaac4a6355cc22ee6a9f27847d85682ff8f3566

SHA512
f51b30a631dc0a6f848e3929a553788971b5847ae78f6b33d510700d34ea202fb54edaf41a928f8e65d8565a34b7ca212d0096d229c5e1027515dbf645b4f0ef

Download Submit
C:\SysDrvFH\aoptisys.exe

Filesize
774KB

MD5
3b683a8b7697c8a80ef973131e9867dd

SHA1
2b70e6d37c3e9e7940440ae5a804e05bf0ee37ff

SHA256
57d8083caae48a402117532ebcf0755f4542a0a669876fd2960b307b5bb216db

SHA512
5eebf583b5ae27321e1904a90bea4ff179d19078212e35ac8731e08db53c18cd2c771b4988e8b5dba558d7e5946c9074134c4fd1840c1d3f0921f3d14151652a

Download Submit
C:\SysDrvFH\aoptisys.exe

Filesize
3.1MB

MD5
a15cf78ff9df049aad0e46c8b0ca2f5c

SHA1
97addabbf98819699e2106525c3c6a170d4507a8

SHA256
b9a73bff099dba67a01f635b4d2e0a721b216c4b61eb1a94ba63ac706d0c2020

SHA512
e2f20cbafe50255a75179befaec26cadd987ec223a68580fefeb812efb32d5585edce6c3cb9a3634ff856a06e619dc6cd60fe85d0a069e97e8a1927bd5827f55

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
bc66c8aa9c163f030980ca320c624428

SHA1
1c09366a719f7c9d5d6d83c28b631b13ed255012

SHA256
84a77477506a665915957ca7f4d4689a320c82e0272bf9ac5c97fb0fa4c6b6e0

SHA512
439cc56fb33893ff0d765ace771b77d0f967184e248a9c2092c69c71e2e5fd27437062e39dd7434ce2c3f7d91f61a24820f646afa1640578e42588072329e215

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
0b4163fe924c84ac85f8e7ed5b1bcf00

SHA1
cdb9b4188c1a3d56825eb1578debb4f5939f8d81

SHA256
fc0575485fae8be15503580a8a92013d6b2a13542342b500e4cc257bfc228440

SHA512
b2ea48e37d007170fb2493fb15c13566d44310010dcfbda34f466f9acd1f2971efa8d768eb1fbb2950c4c473f10503e3ddc10d0667f31f1f7ea013b46b2c741f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.1MB

MD5
d4da27f9b054a2183bfdf3eefc5b2dc8

SHA1
f9a53ee36692d6f1d8557c0401fe53eb5b5eb407

SHA256
44d530837e8fba857ff56e821957dee95106bc31b8e5b556bef789f7d68a3e32

SHA512
8665c866d88dc632fbda6b24e73a833a380b710d37d12e5d90f4f7d230ccf9fa7fc745b939c1d525999ef23db2a924042d87d7d8890d998248007c0e6f0398b0

Download Submit