571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4

Analysis

max time kernel
150s
max time network
111s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Size

2.7MB
MD5

07f2d7a5e261847251ccb427b2bd5d00
SHA1

29018e3c6793003f7240ebd76de6a12c5d6932b5
SHA256

571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4
SHA512

7a5641521cf24264ce33ba5c8f4ba6eba2ce18a187c2c9ae7d0d66833c9fb05702b5e939d713f9eb0d033389c45cfb246233786a4b55f1f7a04c03b3c44ea387
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4S+:+R0pI/IQlUoMPdmpSpF4X

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEF\\aoptiloc.exe"	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMH\\dobxsys.exe"	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1772	ipconfig.exe
1252	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe
3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
2800	aoptiloc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2176	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	30
PID 3008 wrote to memory of 2176	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	30
PID 3008 wrote to memory of 2176	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	30
PID 3008 wrote to memory of 2176	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	30
PID 3008 wrote to memory of 2800	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	31
PID 3008 wrote to memory of 2800	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	31
PID 3008 wrote to memory of 2800	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	31
PID 3008 wrote to memory of 2800	3008	571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe	31
PID 2176 wrote to memory of 372	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	33
PID 2176 wrote to memory of 372	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	33
PID 2176 wrote to memory of 372	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	33
PID 2176 wrote to memory of 372	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	33
PID 2176 wrote to memory of 2992	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	35
PID 2176 wrote to memory of 2992	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	35
PID 2176 wrote to memory of 2992	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	35
PID 2176 wrote to memory of 2992	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	35
PID 2176 wrote to memory of 2652	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	37
PID 2176 wrote to memory of 2652	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	37
PID 2176 wrote to memory of 2652	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	37
PID 2176 wrote to memory of 2652	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	37
PID 372 wrote to memory of 1772	372	cmd.exe	39
PID 372 wrote to memory of 1772	372	cmd.exe	39
PID 372 wrote to memory of 1772	372	cmd.exe	39
PID 372 wrote to memory of 1772	372	cmd.exe	39
PID 2992 wrote to memory of 1252	2992	cmd.exe	40
PID 2992 wrote to memory of 1252	2992	cmd.exe	40
PID 2992 wrote to memory of 1252	2992	cmd.exe	40
PID 2992 wrote to memory of 1252	2992	cmd.exe	40
PID 2176 wrote to memory of 2136	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	41
PID 2176 wrote to memory of 2136	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	41
PID 2176 wrote to memory of 2136	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	41
PID 2176 wrote to memory of 2136	2176	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe	41

C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe
"C:\Users\Admin\AppData\Local\Temp\571fc924f15567b238690533831137abe246a0cbfda782112b1a93af487f49f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
  C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- C:\SysDrvEF\aoptiloc.exe
  C:\SysDrvEF\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZMH\dobxsys.exe

Filesize
2.2MB

MD5
5c47060f67b93fb2d6d39a3bd5e9c07f

SHA1
4f7748a6cafec5ee3f21838ecd86d3e62860a0da

SHA256
1a2343c4abdc460b40a69bbe112a80db4c7b838935fe51c479a30851d0411a46

SHA512
11c70175646e4ac2bb26a894355317fce120841fbba495b5822ff2dd76c6de9b2d9f1e1bd3fe85da6628c592bf9fec56227f6b7304d3782f111959f2fbfeeb85

Download Submit
C:\LabZMH\dobxsys.exe

Filesize
13KB

MD5
8f500a8d9e8493717459f054430d4a07

SHA1
a566d5b91e7864419b99c088e7fb18f3ae39644c

SHA256
72e0c5b8014dceb80b1d7b0707b65402106e3fba25f19ef2d3d445a8c21d65ee

SHA512
bb454c14b1058db64cbde6aaf43dac867ddd0032acb9c95f8b749e6da232c08f6283f693c93b65ab096120b8df1da9af3f32808d8184593692dae0675576ca43

Download Submit
C:\SysDrvEF\aoptiloc.exe

Filesize
2.7MB

MD5
b0b76e330f4c2c4a13d5f7c86c3e3334

SHA1
5a9f6c5e9e733c588b26915cf5414b20e0e131b7

SHA256
262b99e794f02508bad70ea4d07af70ec59dd43b4432e00c024294310163896d

SHA512
f3079fc486a30525a6d784eead16aac22a9be8e7ce25100243b62e52045a128fba2e004758ec3396c3c343d6e81ce7acce8efe9d7c657e0d46cb943bc691037a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7689e920f65ea01a3e723ad625217628

SHA1
185848a1b5a1a3e3fad4c4417704c59c67dc19cb

SHA256
2614b4326008613857a2af453e1e30fc378f3c980b955df02cc7a3b5bda9738c

SHA512
e0b9226e94bc066e426a5ac83029d31ad7b6fec67b14bd4d8c7a88b3f127a17a3b376a6be98a9a2cdb7f09260d487d49200bc5739c3510c4b537ff0356737bf0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a39849f624f0ebfab2c337222778db70

SHA1
bf46ffeea0d768204ee01557d3d1d5ca9ca8393f

SHA256
49a475a452a404b2ee657fd6864780f62dc6a553ae0fdab2aca31e5a091b0f06

SHA512
43d2b68b4a049fdf56f4d19f24b90d83188e15032d6564acc9b9997dbfe6601235d3e4c9f944447da2e6130abd9338b84250b1c16c364a39ba10edfe61d038d6

Download Submit
C:\Users\Admin\grubb.list

Filesize
262KB

MD5
9841cb998cd1c1b43a88cdb6cf903a13

SHA1
e5060241c5477b5bea00c0ce8744a518558f08f3

SHA256
16e7cb8a6e138dee5d99f98d6f91c9f33999eaea9c9ea9359576e49738c5d5dd

SHA512
223fea5640430d759a81c796040907e767d000d65491368c38dc8ab2826928a75d8792fa057ac042c990c7680e368d0846c2bf2e758a40a1066d6cdf32f4dbbb

Download Submit
\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vblocadob.exe

Filesize
2.7MB

MD5
26f05527839179242e8fa2317d52615c

SHA1
8b01cd184cc23704c561dbac32201c9419e03c96

SHA256
ab81411fc963d9c1896a2e5ab6e151ac543152d27d954c02b42cd6c2a9490905

SHA512
b25d114758d889d31f9cd4359ff12dfd873da9720a84a4af49f155eeb1195438966031ae06346dc221269efcb9307d6027ff51094bf10659cbe7e703aa1771ea

Download Submit