cb709e197edd5aaaeb940f757f8bb7e23a0b1e11d5e34561200b38635b0bddea

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855dcca669144d13c8b07ea5bbfd6760N.exe
Size

2.6MB
MD5

855dcca669144d13c8b07ea5bbfd6760
SHA1

0d0350a79c13baacdf1bbf05ffdf0573692a45fc
SHA256

cb709e197edd5aaaeb940f757f8bb7e23a0b1e11d5e34561200b38635b0bddea
SHA512

81053959908c5d6b20f21cbd2063c9017cc4b4af1a8065b9a150bf87f4a8d4e0e010321621dc6ac09863f1f38778c6fcb30be32432a6403982661a54fef7036f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	855dcca669144d13c8b07ea5bbfd6760N.exe

Executes dropped EXE 2 IoCs

pid	Process
3952	locxdob.exe
3964	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2O\\aoptisys.exe"	855dcca669144d13c8b07ea5bbfd6760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRM\\bodxec.exe"	855dcca669144d13c8b07ea5bbfd6760N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	855dcca669144d13c8b07ea5bbfd6760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	855dcca669144d13c8b07ea5bbfd6760N.exe
468	855dcca669144d13c8b07ea5bbfd6760N.exe
468	855dcca669144d13c8b07ea5bbfd6760N.exe
468	855dcca669144d13c8b07ea5bbfd6760N.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe
3952	locxdob.exe
3952	locxdob.exe
3964	aoptisys.exe
3964	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3952	468	855dcca669144d13c8b07ea5bbfd6760N.exe	87
PID 468 wrote to memory of 3952	468	855dcca669144d13c8b07ea5bbfd6760N.exe	87
PID 468 wrote to memory of 3952	468	855dcca669144d13c8b07ea5bbfd6760N.exe	87
PID 468 wrote to memory of 3964	468	855dcca669144d13c8b07ea5bbfd6760N.exe	88
PID 468 wrote to memory of 3964	468	855dcca669144d13c8b07ea5bbfd6760N.exe	88
PID 468 wrote to memory of 3964	468	855dcca669144d13c8b07ea5bbfd6760N.exe	88

C:\Users\Admin\AppData\Local\Temp\855dcca669144d13c8b07ea5bbfd6760N.exe
"C:\Users\Admin\AppData\Local\Temp\855dcca669144d13c8b07ea5bbfd6760N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\SysDrv2O\aoptisys.exe
  C:\SysDrv2O\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRM\bodxec.exe

Filesize
2.6MB

MD5
32c9a54f6cc136adaa9363520c48a37c

SHA1
127999d2e068fad6e116e0c5a21bacc459896a26

SHA256
79402dbb82d222e2630ac6d4ce698514f91ffe5b9419aaa39bca1e3ba96e422d

SHA512
2a32ff3ca1234653df85ced320bf25e4b08a54e8a54f4bb4709ee37249adf6efbe33e87cfd5420a8b24b8e84d0a352aafe85bc054c92af0c649f10b6feac11f7

Download Submit
C:\KaVBRM\bodxec.exe

Filesize
274KB

MD5
85bde8842929d9d08104dfaac8613b04

SHA1
d1fec767370dada1f134da468e41f21a3a381a21

SHA256
85fade4eaa6069142a705fff2ce3fdc90c8c1c7f450635f59f36173ea9edd8f6

SHA512
ca686cf2f69c3203d6f470e23f3f2ae978f39006138c7dcf81542d33be9428ab4fc9a6e4f1820693d1223d66e0faf28513de3af0ca2ac5669e6b732b2783948c

Download Submit
C:\SysDrv2O\aoptisys.exe

Filesize
659KB

MD5
6682995824bfafde8dfaa45cad4f033e

SHA1
a9c640db0755066ee75a10fd083e5778b71e80b4

SHA256
5941ae09aa67f8b0f9dd034e0776943adc3336dee60fedd5decfc4708453661a

SHA512
d861b318029439321455bfa636c8b6479a4f6be6f28c0129487473bb53d3416b853330ccf27d34841ae08ce245cb500def9cc1bc60079426875dcf8e90f41aa3

Download Submit
C:\SysDrv2O\aoptisys.exe

Filesize
2.6MB

MD5
b55870d85ad47de8af42b378a7140f05

SHA1
dc149f1b40984db997de6a4d4d155ad3be5584de

SHA256
20b5a53f4c7bdcf88948dc34ebdc03a10424319e26a370d036a53687af3c5a83

SHA512
86d1fe316dcb4d4703625ac304467e2da80c500ff25ab33ecdfecba5d12662bc44e9f573ed1bc9724b853feeb96b8131da4f01dd8f2272a9487b3157e52b5bb8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
78a3aa6262fe90e5e952e7516c3c87d6

SHA1
4def5564aeb7fdec273e97491c032287cabdd444

SHA256
9fb3d8dbc6383339f1210563931f4ddf820c5ab5dab925b010273312abc775c3

SHA512
ddd35a15607a0c8b98e5564776ea040f6871d1ee00ae6b31e63c1e8cc8241c2e34643ee0e766a9be59e4f799164fe65c027fca1e0060077dbd2dccd00861bca6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
2744860926c137d5a3a8d68e53145df8

SHA1
ccbf8fa8d302f35c2e15a77398699744b2adc491

SHA256
956e63603ce8031023f03ce90fb32302f8a879cacb60ba958a46a2e4effb9b55

SHA512
59bff87d6b8454d136a599e292911ab2056b739abd44a64764ad810c6c31a93211ba8c9bbad0e1e2e65bbbed08c55f315e5b2756beda0be37ca222ea47a3fd9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
d530016a1633f90a622bcf5706302587

SHA1
0776378eea03990b72e7af73e24eaec82a19e0e4

SHA256
50b3eb32d90aaa5c6b8e03cc19f7ea4e460a71660d00ef7ee177c508365742a1

SHA512
1dee0e83cb3d4ddaa75d9cbb0b9ef80d2cfe6320b5922dba19ee6147905e9ebe3f0db92d01ced74db89a8054312557126e471cd06c997e3842bb16f9d2fab1e6

Download Submit