f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
Size

2.6MB
MD5

97a1f048d633a5f71f417cdde4bd3ca0
SHA1

4ba533044b20da69245209e1ba919670dec7f9ba
SHA256

f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00
SHA512

f8da8496043fd213260244eaf60011eb78c5126c547afefef92617eebed778df2f89907d9fb8718f445c02e6ae51d25d5509ddd7c97569df12e20926a23e32fe
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	locaopti.exe
2696	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUN\\aoptiec.exe"	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB95\\bodaec.exe"	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe
2784	locaopti.exe
2696	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2784	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	30
PID 1448 wrote to memory of 2784	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	30
PID 1448 wrote to memory of 2784	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	30
PID 1448 wrote to memory of 2784	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	30
PID 1448 wrote to memory of 2696	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	31
PID 1448 wrote to memory of 2696	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	31
PID 1448 wrote to memory of 2696	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	31
PID 1448 wrote to memory of 2696	1448	f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe	31

C:\Users\Admin\AppData\Local\Temp\f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe
"C:\Users\Admin\AppData\Local\Temp\f39b6b360978330b6060eb481cb859866dd1db7c82a94baadfc5bf02400cda00N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\UserDotUN\aoptiec.exe
  C:\UserDotUN\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB95\bodaec.exe

Filesize
2.6MB

MD5
a07c70f641bc76f4b30e703d298fd99a

SHA1
94b513f3d647c6ae971535fef382bf4e78d67067

SHA256
38995448d26ac3f0b5b97d8f00e6ce9179b420f7136367de6a4da9fe6dbebf65

SHA512
5fb4366bb803a730fda67008573296348a72b6035b978d55d2c79a699ca1b68eac0b230d9c5ac4db9bf1d34d93e256c3cd309440302dc934957d1011967bb698

Download Submit
C:\KaVB95\bodaec.exe

Filesize
2.6MB

MD5
5366e740ea5a56f0606082471bdd10de

SHA1
0fa27b3f8c0047c72f67b7afdeb5f901d90d417f

SHA256
144e638379a944e5d9fb19f2d2cef5bf9fde52da8a40fd35085477409d3c94e7

SHA512
fb2a632bb9e0463402b0a7ac2df1dcb5957e10cd391aa47c26c9f0153d453356dbc2deed555cccdad1b77202914e01335d03a9bdafa82ec07060c9c4bad257dd

Download Submit
C:\UserDotUN\aoptiec.exe

Filesize
2.6MB

MD5
3daebeea97f7afb731d325f4405df143

SHA1
14f79175d949a51f96fc0c5df90d73f67815e4f4

SHA256
beb52505cc5aff9f169681c55d2d00b7276ef5020ed3c4cb9ab346af6b3446c6

SHA512
2373ec132258f522101e06d13fc7109d61d20193df27b22d07253797467f258913c8832e09fafe4a6f5e21579aa2eb433556370a8a62d538205834291d2ed17d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
ea0b44076e470651aa4b3325214aa039

SHA1
9628821d1e28358ad931ffa6e79055bf17f254fb

SHA256
86bb5538050e881184321fbcb9e016da15e958757c447c20f961b80ac9a2e296

SHA512
bbc41ce9ebaf5b89d1504c51e87121a723c423b6adda0576c1c70a3f9cbbddc593f6d9d83906a1b00dbdf0edbfe54a15679ab56872f92e4b4f4961c0ab867c05

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
706265393a62cd361bc61bb1a082b217

SHA1
7f5082091f99917e22a18cd6ebc16ef30597feac

SHA256
8b74904c3b5328f6c82c85218318d1369d97cc6a2b7eb08306e486ba7cedd338

SHA512
df16faacb0434cd2dbce2fdd547f5866c05ace101ea90f448d2507df0f5b38a472cf83b3a20c80e6ba1727ec2fc64a14004ba624914d3dc9cb44bb4ca76ec254

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
475324eb002e3e4929a428e409a6cfa5

SHA1
f5a3da8348e489fa77ce8f7a11e954a359232918

SHA256
ff7bcd22b2450bacc31ce0aabad8ea13ba8b7304f7080b90085dfa0d6a9e61b6

SHA512
94682c39c02d897f6334825ca3cd74f32ce11b84fadc857f26d041889e3fe46bd28d8db44a15b9044a5b2a610131ee39c9b972fa8f4eff6c367bcd86c046ac78

Download Submit