Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Resource
win10v2004-20240709-en
General
-
Target
1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
-
Size
2.6MB
-
MD5
1ecc3ef8dc6e4b2d727bca37deecd966
-
SHA1
8de8318b44891e2cbb7e5dfacc43de85b2c0c6c7
-
SHA256
1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365
-
SHA512
b3beb79c43805e2a35d6cd3365537f7fca9ee5177ec39afb449b9a2c092d0534a51cde1c404172562eeb9d2185038a5c8b349f5d9e454ff3db22f8205ba30e7c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe -
Executes dropped EXE 2 IoCs
pid Process 4100 locabod.exe 4312 aoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLX\\aoptiec.exe" 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRS\\dobaloc.exe" 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe 4100 locabod.exe 4100 locabod.exe 4312 aoptiec.exe 4312 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4264 wrote to memory of 4100 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 89 PID 4264 wrote to memory of 4100 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 89 PID 4264 wrote to memory of 4100 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 89 PID 4264 wrote to memory of 4312 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 91 PID 4264 wrote to memory of 4312 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 91 PID 4264 wrote to memory of 4312 4264 1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe"C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4100
-
-
C:\IntelprocLX\aoptiec.exeC:\IntelprocLX\aoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD5792917757f09453091117d48587f8cea
SHA12a1ecc374cf2b9516a49952c2b53015d83888e0f
SHA25682febcbeda374d5fff4de588530aae48460ca295731257fa3dcb63fef9d5ed14
SHA512c72c387a3c9d38ace2b2a5e1aae31d1b8df96dc17fc714f799d7f771ae61046c608c47bff93624c6940fe3bdd07442b2e747478b483eabeae4a342fcabd4e13d
-
Filesize
2.6MB
MD56716c7fb0a7e846505b2981590cc7e79
SHA12b3abcb88bf1a4ab286eae19ae214a4a1a952dbf
SHA256131a950b3298f40b1450215a70f085f9e6bd846ea64130cf26ed26551f2c2764
SHA512f7a6bd43d2bca27d054aa440417704639adbc3f1a201252d418bdd7d3d53ae88cdfd29cb31cf2388937588d78930c7256e898b14b5e0faec8958f38f53f6237d
-
Filesize
2.6MB
MD54dd8fab8e7fb20457015fd0d1db8f6f5
SHA1bdd51330f005418528d4676c8e5e57d7514060cf
SHA256d3740d24c15870222c309d7c35e4bbf119f772ae381ccd9ec0e7b73db9b6533b
SHA512b623f1f0fe0c06a0a1fa9fdc31a6a54d9170f5834de3b376ef8249784418c4c7df9fb8011681a2d7ff45e8f806d17c371be73cb608e193adc82b49b312c21a99
-
Filesize
1.6MB
MD59dc4c15c4aef1b34ec6a294cc966c132
SHA121fde6291cee53ae93475b6b26aa4f4a81031dff
SHA2562eab54cc38b3d5db1bc4b60815f40df2b8e3b787927cfac8a2c74eb78df5e687
SHA5121e2af90bbcac1722de6bf028093dfabbdae857ca858206f2e623c0432c02f8b208393a92483da0b3c35c448e42d725e6de0508b4b41f0e929da89ab5c88874d3
-
Filesize
204B
MD5fa57f9cf65169a934fdebe5215cd3f11
SHA13a3392d24771f6664364be1fecc3802b9ba1f7b9
SHA25602f6a6dbb7d5bd6b5757540698f0a6f519720024cc9e1332462e8bb3e8b84bcb
SHA5129436bb3b7174821b14ab12b61906667511832dd56f65db85a351ec7793b936c86c036ffd8c2786e1659d848921d1195e505ac3a6be4c40176596896017430aea
-
Filesize
172B
MD5caf26ff4c1842bf1c8185c79dc5a57a6
SHA1c9f9bc024b41f2ee83e2c38b729ed1f088a93357
SHA256c9bd3b9f2234c0b146f10ab20633f574b2a953d266f321526f5d0a7a46c0d06a
SHA51201aaa6b2f7f4e820c0db179ee7a85d3d7df61a7e9b0076413f1f6ea0db3ebd98a4a37e58c8efe64bb01c3cb9d9b8493fe8659c882531ffe916101dc13fb1440f
-
Filesize
2.6MB
MD5f1dbd4c10c6ff8c5429665aff262c21f
SHA1c08d019b779624c36be453816d2b61f7384b44cb
SHA2562ec241e6415844b2eaa436752aff2b5ae9bf26399e2ffa50d48813fde12bfdd2
SHA5127b3cb3f116c4d74086fea51085f4fa6c2e5281ddeec4d7011d8c9b296b848a8a214a1dd425325c262ba97c2ba25dc06d05f29fe8d1efa5ae4e3674c6564d8dff