df202c6ca898e9fda26051a904060d888ef12f67b5bc502b5380867bd40ed8e7

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a452350d14bd5913494c51127161a0N.exe
Size

2.6MB
MD5

02a452350d14bd5913494c51127161a0
SHA1

d951e2c40d1aa00306b2881962c1d71b54eeb236
SHA256

df202c6ca898e9fda26051a904060d888ef12f67b5bc502b5380867bd40ed8e7
SHA512

e65f838e390d7f380e49ac38c65aa61c90ddf3c0b9a43c6e472bbc616773e154396cb96dfeca51aa037afd34e9cbc4694ab7eb043534d23abd7a35a1fb1eff7f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpQb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	02a452350d14bd5913494c51127161a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3784	locaopti.exe
2028	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEO\\aoptiloc.exe"	02a452350d14bd5913494c51127161a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRH\\dobaec.exe"	02a452350d14bd5913494c51127161a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02a452350d14bd5913494c51127161a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4048	02a452350d14bd5913494c51127161a0N.exe
4048	02a452350d14bd5913494c51127161a0N.exe
4048	02a452350d14bd5913494c51127161a0N.exe
4048	02a452350d14bd5913494c51127161a0N.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe
3784	locaopti.exe
3784	locaopti.exe
2028	aoptiloc.exe
2028	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3784	4048	02a452350d14bd5913494c51127161a0N.exe	88
PID 4048 wrote to memory of 3784	4048	02a452350d14bd5913494c51127161a0N.exe	88
PID 4048 wrote to memory of 3784	4048	02a452350d14bd5913494c51127161a0N.exe	88
PID 4048 wrote to memory of 2028	4048	02a452350d14bd5913494c51127161a0N.exe	89
PID 4048 wrote to memory of 2028	4048	02a452350d14bd5913494c51127161a0N.exe	89
PID 4048 wrote to memory of 2028	4048	02a452350d14bd5913494c51127161a0N.exe	89

C:\Users\Admin\AppData\Local\Temp\02a452350d14bd5913494c51127161a0N.exe
"C:\Users\Admin\AppData\Local\Temp\02a452350d14bd5913494c51127161a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3784
- C:\FilesEO\aoptiloc.exe
  C:\FilesEO\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEO\aoptiloc.exe

Filesize
2.6MB

MD5
3600c053b8d0e83c84774daa316ca0f7

SHA1
2f1e01db2d833dc6029e0635d7db48ebf44c5054

SHA256
564cdd8360774ff2cff0025f310aa3e89c228ffdd23a54f2071960dbaecd23ce

SHA512
4164502a88b0088d9233faa07fcf4611f50f53c88927943493c95dc3fe99f752c75bc10691913c8eb55dba12a28de647f82fe2085d8ae8df9a7ac5ef9cd88a2d

Download Submit
C:\MintRH\dobaec.exe

Filesize
2.6MB

MD5
a9b6b5013f4cdbff74b94b1734501fc8

SHA1
3b4793d85c1257a4f2157e5daa585b3c0b61b51d

SHA256
6e266568d63a21e48a3f3f7a1eb16a9b017ab2dd541335a218239ac56f085486

SHA512
a4d3e4e9ed166fdf9797f157fb2957161f330d62acf4e1db3fbf944d13438f7cde70ac0c343bab754cd292d78b8279c382ad30272071d94bd91ea3d900a5974a

Download Submit
C:\MintRH\dobaec.exe

Filesize
136KB

MD5
4a9df1ef4ca13e58397520a1127212d1

SHA1
14ec628d7898e8c997ea9fdc72eb3e8e37d7e54f

SHA256
3ddd45b34cbb21322cf39c8170b544c7f6abf24dd5d84488058519841602bd9d

SHA512
26ec9bf5862941039e5229bc87a4c65f8b5d8917b31ddabba2c259d8f0755a093d24c9216e5e618d58bebbfa54caabc7096052336d4316d581eceb088a69c6df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d0a564858c613baf3f0f52f2cdc4f1bc

SHA1
f9278236bf8e7771fe7292cd892bc567e91ee3f2

SHA256
1d406e84b5745437525bfcfc8748fc043d14178e76da6fed0c0abfc6e57bce7c

SHA512
b555f5accd299f05b86f46e612adf10bf02112c97f40f6b658223366960f9e49fbea03444a5b66451b22dfe293848f595a3f5482579b9f109cc913f832da6be1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
abae5b52a39c56017c0b39e17cfff09a

SHA1
9644c21015babeebebc2dfc3e6c01bcde733cf83

SHA256
ccd54c24ca8ea33a8e1b4723dc86644ce8afdb7a5e6d144306d7e9211aa0bba7

SHA512
79b3f409ed2daeac4b6b32b1b200b7d90bdde7d7d006147df88adbff1407534a9a230e22341bf660ab6b8f8166a50c59324ca5f0fd3854bf0f1631ade69ffad4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
d0d39c280cd0afa66b5ffbc41ff50a1d

SHA1
072e78018b00af30b7b7184ae7ca4616af6c6bf7

SHA256
d9573f6e0cdc0c6f7f3e7f190632a16793980de387bf16a9a5b4137fa0c4e63f

SHA512
cbdfab02798c7dbe691bbae7908005f795177028af32a1573bd8ee4d4e88cccf4ef749c58a6f86510d6a72e4debc97e8b3646b7f31e6dc127c3db17d3feb661a

Download Submit