f790d9d41ccd8b36df9f1f9f02e97bafa56b71b18cf78646faa10c0a56593a1f

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 11:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97f7388bc98a68b44272c750336f8450N.exe
Size

2.6MB
MD5

97f7388bc98a68b44272c750336f8450
SHA1

d6cb95b680fdafcbb430b05b775a6b41eb47cab1
SHA256

f790d9d41ccd8b36df9f1f9f02e97bafa56b71b18cf78646faa10c0a56593a1f
SHA512

56c9afae5260cf5c7d8ef84eb1a1607578886867ecf5f96ebf6d8e96dcc18351bc0e257a252c1f69660147aa4d86671b39018687ec25e8780573f9aba9b9208c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpTb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	97f7388bc98a68b44272c750336f8450N.exe

Executes dropped EXE 2 IoCs

pid	Process
4324	locabod.exe
2916	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYF\\aoptiec.exe"	97f7388bc98a68b44272c750336f8450N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDU\\dobxsys.exe"	97f7388bc98a68b44272c750336f8450N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97f7388bc98a68b44272c750336f8450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4308	97f7388bc98a68b44272c750336f8450N.exe
4308	97f7388bc98a68b44272c750336f8450N.exe
4308	97f7388bc98a68b44272c750336f8450N.exe
4308	97f7388bc98a68b44272c750336f8450N.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe
4324	locabod.exe
4324	locabod.exe
2916	aoptiec.exe
2916	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4324	4308	97f7388bc98a68b44272c750336f8450N.exe	87
PID 4308 wrote to memory of 4324	4308	97f7388bc98a68b44272c750336f8450N.exe	87
PID 4308 wrote to memory of 4324	4308	97f7388bc98a68b44272c750336f8450N.exe	87
PID 4308 wrote to memory of 2916	4308	97f7388bc98a68b44272c750336f8450N.exe	88
PID 4308 wrote to memory of 2916	4308	97f7388bc98a68b44272c750336f8450N.exe	88
PID 4308 wrote to memory of 2916	4308	97f7388bc98a68b44272c750336f8450N.exe	88

C:\Users\Admin\AppData\Local\Temp\97f7388bc98a68b44272c750336f8450N.exe
"C:\Users\Admin\AppData\Local\Temp\97f7388bc98a68b44272c750336f8450N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\IntelprocYF\aoptiec.exe
  C:\IntelprocYF\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocYF\aoptiec.exe

Filesize
723KB

MD5
fdd2527e3688aab6c6b1e76c7de10c73

SHA1
8f94b17fd6aee482fc863022984501c8acfe255d

SHA256
2977ee280cdd347385da19d1a3a571b6818e0ca471a2d2f65051427be2bb4853

SHA512
bc086b179f2f15033524edfeac1d02843818a4635492f8bca9005efa044ce50ae6ebab7de04275244568161b912295058d630c926c3615559f95186f5457db67

Download Submit
C:\IntelprocYF\aoptiec.exe

Filesize
2.6MB

MD5
66a9668331a385857d2a7d940c3cd880

SHA1
a3b992dbb11685bf7823eaadd956ae08a8e68350

SHA256
a81f9b7bbd42cc54d33473288186698e799ff44b96897dede5934c6b7d5fb397

SHA512
11c723292f933e72a7bf0ca0e757dba1191f3865106a1d6fff11fc20412c0107860b93b295faf56a1568903aa0abdb2b5bd4f198df49a3905ba8471403be43d6

Download Submit
C:\LabZDU\dobxsys.exe

Filesize
2.6MB

MD5
3037675782acb5a0c9e186128914c40a

SHA1
9b6552dbb806bd8b1ba06d984ef7c93f2a767edc

SHA256
70ec2da1787934dfb86231bff8ee7e6b9d2b5da1c27e9499663bcba796d22404

SHA512
8e91a776d8166fe3cf97a7c92910a8639dd11b262d6d309bedadcbcfff1a549c7f04d94c102427a9772d0517d7bee6148f871ec9c8ece7392057478551c0395b

Download Submit
C:\LabZDU\dobxsys.exe

Filesize
2.6MB

MD5
f223bea73ef6c0c131c0c8a0015e4bae

SHA1
1f5d7c656b21eb90cc051b63c276d9d5292412bb

SHA256
8821f7b1d2710e9af5871541970f3f4e34dbddac4b808b6a2aec889ccdecf33b

SHA512
5713aeb2ca057401354b29f2ad735d414d51975ee955d49d941e8821d8ce7e135d5fba9fc0934b1898e5ef7b727532ca1b9895078e3175af0cd18a3fd457dc47

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
378dec78b2ada74e8b9ad101bf0808ec

SHA1
54ae57dd286d16984b7fb5dd1d24c864880e4dd6

SHA256
ef8d3675780002040e13cf3ba70ea7c2132dd7af44bd87e58532a9fb3f24b537

SHA512
eaae62258e8df83242c9b0d25565c45c7f9827357e92d4c499214479223a9b3f6ee737dc5192874e3eb3c3210929ac3e0477c0112b8c4e6c7ccd317020962208

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
5cf7699c3910741e4fe0df6e7c5b9ef3

SHA1
94b44d03fe11407151eab72ea329d6483ca77320

SHA256
f9ebf3f505bdd5028d2f8e165624b3718aae236eee3732c24b935edc9bbacdf3

SHA512
3a06e43b401890e8ac203c21777f2e23ea18d3b460bc6c143f7e450b5864612fbf2d59b13635b28e927493421eadcce23122280343d98ecbcaf3cd774171fb32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
51747cb44b45ef1b8f104d3d2d047e73

SHA1
2d75c892c29ebaedfc838777288a4aa4c01d090b

SHA256
f607dc98678bc2df0ed7151ee84782e0132f69cb9f9027147f878d21f9d44dfa

SHA512
b46e819b0234614721836b5824ab66b9cc06e10ab90bfeaa96e5a6ab5cf8a63d85d48dbe38235215501fbfc1afc75ff1e600ded0da010aaf4957b5ea85e61702

Download Submit