9e5b067fca7836d98f77908417ebaae07f1d5d1941578d2f7a8fdfd1bb01a416

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4536617e1ab87c50261c7bd2e8d464f0N.exe
Size

2.6MB
MD5

4536617e1ab87c50261c7bd2e8d464f0
SHA1

85b3819b5ffde7e9ccd67ce337a76967c541be3d
SHA256

9e5b067fca7836d98f77908417ebaae07f1d5d1941578d2f7a8fdfd1bb01a416
SHA512

5f99251a72a42db2e5bcb13a3b322c814eaea8c9bb1bf832306d31e2e0e4068bec49e1ba959b6babf4759a8365c59bd7ded052938235a5717f5aedb2c8374e5a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpcb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	4536617e1ab87c50261c7bd2e8d464f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	locxdob.exe
4568	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLP\\aoptiec.exe"	4536617e1ab87c50261c7bd2e8d464f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optialoc.exe"	4536617e1ab87c50261c7bd2e8d464f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4864	4536617e1ab87c50261c7bd2e8d464f0N.exe
4864	4536617e1ab87c50261c7bd2e8d464f0N.exe
4864	4536617e1ab87c50261c7bd2e8d464f0N.exe
4864	4536617e1ab87c50261c7bd2e8d464f0N.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe
2672	locxdob.exe
2672	locxdob.exe
4568	aoptiec.exe
4568	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2672	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	89
PID 4864 wrote to memory of 2672	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	89
PID 4864 wrote to memory of 2672	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	89
PID 4864 wrote to memory of 4568	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	91
PID 4864 wrote to memory of 4568	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	91
PID 4864 wrote to memory of 4568	4864	4536617e1ab87c50261c7bd2e8d464f0N.exe	91

C:\Users\Admin\AppData\Local\Temp\4536617e1ab87c50261c7bd2e8d464f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4536617e1ab87c50261c7bd2e8d464f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\FilesLP\aoptiec.exe
  C:\FilesLP\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLP\aoptiec.exe

Filesize
2.6MB

MD5
c990916e75f2360c6bea30cde6acee3e

SHA1
37a1f04eec6a0eee381ddff22d73ca4321a849ba

SHA256
9654b261ebec9ff3d4cf8365e3f7e22b916500b87d9ff08a195891865177b613

SHA512
4c1a13a9e77f5076de39baa0f3f65538f2fc0fbabe7d9fb98f9c9f245d9e6cd6a3eb5c5d8f356221e925d3c520b1e18b518da0f767e08ca251e1812545d439c5

Download Submit
C:\KaVBFC\optialoc.exe

Filesize
2.6MB

MD5
f23b6ac18f825284dc1bc51d2ccb4f26

SHA1
5b5cf623eab777092d1e89a69bf7b192afd9ba75

SHA256
2eb73b808803cc57113cdf78e7bdd63f09b16ddbaf561b412022ece40f203496

SHA512
de876d1154651db60d301ad0f263f0179caba760f543e4e68cd3b7c4ae5c35b934b8702691a6bf91c10228a5d9fbe02dd0722c86ade85e51e8de550a1b035c3e

Download Submit
C:\KaVBFC\optialoc.exe

Filesize
1.2MB

MD5
b5b96e865ad5b857ca3384671bf4a55c

SHA1
6cf6779b3c8cba0b0a44627e653f61d0351f0d8f

SHA256
e55e16ac2185d0071fa19aad899cc80aa495f301345a24d7f607993965dddb36

SHA512
b39eedc21aca5b84946033aca0c6bc9ac082286e2d04e112178d3a31dd79d905ff95d2397fec7706f371983b5f4447ddce5cdac18b28e14496b592920d5fc757

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b82fbc0bb660c0ed3400a39120e5ab36

SHA1
8505638b8fd345d76a1feca0e5e840a7436c0e74

SHA256
54db3406ca61f225f05ba9404f032e7c3b3522cfde4700e222e419e29fdcea35

SHA512
3663662f1a61f67648b5587f5bc672883bc7df0a3909b17b8323db9afd470e3d99dcd0d65dc5d75e04b6c8fd1d83b6e756e93316728b623cf32f918d442cf1e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
aa3f16674f48107bfb82601a00466419

SHA1
74928858aa9f2b4d3774de5de2ae1fd78c2d315a

SHA256
dab8a10a8d0e6dc07a4b5ddab897f0225825bb08da1b01b2a43dd3e14730b293

SHA512
f876cb95bb53038add7a174b9f455d1aa60b88138bd74d72947c983f01b7b79603d4043826b93f800779df4319ffff6cabbba755c1fe92a17195df4622ded479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
431884daf0c9f3f8f075d9284b7148dc

SHA1
7ec02ef8fe8caf89925cf0f94ae6677c63215334

SHA256
1e604ff35e190a21da81e7eaa5baf3ae490fbc9df33a536cd1e7fdde6f9d450e

SHA512
a6c9dcf954facff022c949bbdc5b650a63faf9677e9c79a4a2e41d6f4c8e507076383a22f6c5d1a77a604daa9c8cd20bad9a98a03bd0ae8aab79a723fe0cdd26

Download Submit