f1bf556ef94603ea946bd27cb9c686e520dd50fe0c762f75cf08fe0595a1565d

Analysis

max time kernel
118s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0c58b24c740de9681c9cb41e34ac9a0N.exe
Size

351KB
MD5

f0c58b24c740de9681c9cb41e34ac9a0
SHA1

2aa05df9c2af523518fa6e047cc09720d24f4906
SHA256

f1bf556ef94603ea946bd27cb9c686e520dd50fe0c762f75cf08fe0595a1565d
SHA512

38f22a8910078e1392039dcf087f58117ee03d170edacbad2b47accffa1fe750a90c4a45fdc9d444ba78b5a462cd27054da87fe1dafdc0418ca88aab2be5a38c
SSDEEP

6144:Cs0N0GfEoS6ko+7bRD0I6qgG6z6QnkNblLIFifV9y7TJ1lJri8Ey:n0N0GfE0ko+xD0I6tGo659b9IJc8E

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti[jln[kn[nl[kn	f0c58b24c740de9681c9cb41e34ac9a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6G\\aoptiec.exe"	f0c58b24c740de9681c9cb41e34ac9a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQO\\bodaec.exe"	f0c58b24c740de9681c9cb41e34ac9a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0c58b24c740de9681c9cb41e34ac9a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti[jln[kn[nl[kn
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe
3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe
3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe
3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe
4620	locxopti[jln[kn[nl[kn
4620	locxopti[jln[kn[nl[kn
4988	aoptiec.exe
4988	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4620	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	91
PID 3688 wrote to memory of 4620	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	91
PID 3688 wrote to memory of 4620	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	91
PID 3688 wrote to memory of 4988	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	92
PID 3688 wrote to memory of 4988	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	92
PID 3688 wrote to memory of 4988	3688	f0c58b24c740de9681c9cb41e34ac9a0N.exe	92

C:\Users\Admin\AppData\Local\Temp\f0c58b24c740de9681c9cb41e34ac9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\f0c58b24c740de9681c9cb41e34ac9a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti[jln[kn[nl[kn
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti[jln[kn[nl[kn"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\SysDrv6G\aoptiec.exe
  C:\SysDrv6G\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQO\bodaec.exe

Filesize
351KB

MD5
6067cce3bfc6a06d364a4f588080b2fa

SHA1
c8b70ac85a07987f43887c956394f8eb4d7148f6

SHA256
642d257e0ce33e3606f061b9ab0249c6b69de030697e8777b5a4f33334037f9c

SHA512
428331be2f5f8f279368f9a46df011259d62516d463901905345fb97212c841e7518486d9db04a36c6bb06055f80eb5e9d876448b22297fe6d231217815cf40c

Download Submit
C:\SysDrv6G\aoptiec.exe

Filesize
351KB

MD5
818119d6e1975f9d2bf9b6f6d06885e7

SHA1
224faff2980e5e1cdb6847a065925968fcc2e826

SHA256
b8bd9d00ff4db31cb7910d68a4e7e65269cb633d2a2ac770a00ce56779d53a7e

SHA512
a71ed70f15c1b46befbf0deae3081f9c68cd2ebe1ba2e86d3b8a4ead5f3de37c2f8ef2321ea9d667d091344a4c58a895ead0ef20a5d19d55a62e3c47360a1d94

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
175B

MD5
b3e1b6e93534452bdfe99530f09b412d

SHA1
6698de32a6e7cbddce014cd53f6fe275cf17ea1c

SHA256
504db1c28fb73de689b17832172f848bebb9b5d4a8ae5002480b91d4bf2cacac

SHA512
0e2871516230be97a28dbf08b0ddbd1ffa383e8b49d857261b39046e6e473883b0e73b5297723589dd2c404c650d6f5a8de02e841ec3b2eb9a11b1584d75ba9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti[jln[kn[nl[kn

Filesize
351KB

MD5
9c9dcc33a96f2f254f0645c07f8f8225

SHA1
9e373ea4b9a78e8fd0109db7a96fadb27dd646be

SHA256
421429bea320b8ffa3879404993eba02cc98632481a72d94c880b11d7fe96ef2

SHA512
10586e9157736a0cecdf742341c9c87c52b4877978b05c29510bf496b85e53eb50fd8a36baf1c5e6f6e21700ae74ff384e369d2438fa6f88439824a7e7e95ca2

Download Submit