Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
Resource
win10v2004-20241007-en
General
-
Target
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
-
Size
2.6MB
-
MD5
2ead6a6da90bc4921365d428319a4d80
-
SHA1
8c5ab884a871c1901a8223c9295db1b6125a26dd
-
SHA256
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6
-
SHA512
4de06daa51637c60fd04075a5ad690a7443102e55b612171d05149242236653f9617164b56670bb0bad703816063d4aec24e1cf08d0624e1be369659a8e04f85
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bS:sxX7QnxrloE5dpUp4b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2648 locdevbod.exe 4320 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2S\\aoptisys.exe" 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPP\\bodaloc.exe" 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe 2648 locdevbod.exe 2648 locdevbod.exe 4320 aoptisys.exe 4320 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3224 wrote to memory of 2648 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 87 PID 3224 wrote to memory of 2648 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 87 PID 3224 wrote to memory of 2648 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 87 PID 3224 wrote to memory of 4320 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 90 PID 3224 wrote to memory of 4320 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 90 PID 3224 wrote to memory of 4320 3224 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
C:\Adobe2S\aoptisys.exeC:\Adobe2S\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50989c9bded972507425cfc7c9d6e1d52
SHA18efb4781988c951b3315b45be44b1e37eb6c5caa
SHA2562003557d36e91b554f8ff23416425a8d51479c3f222e961e6e1a4dbaee30f344
SHA5127aad8ca771efb217dc445a132b98e143b892332c8f242768d214a6d2fadb008fe6713d664f8eb7e5c368fbccb7e43f774aa57e5fbdc98ed426026af80c9a4564
-
Filesize
2.5MB
MD5dc9063c9d844a831416e915be278d64c
SHA118230f54a21dd7bc9b72ec322e6f974e294df9f5
SHA256bfb2474ee9490d23dd43dc3e6f56cf433373a8179f75f0997a51d4e6dede1e1e
SHA512d1e39f2bd6c2a90f92a80f4465691cdfda4984c96b6bc6d6dfcb69c86fd571c8792043a8c2b128cb9ac6fbf458d808efe662c39095a28aa8868b90a25490b43f
-
Filesize
2.3MB
MD53a9ea6e303e7bbdad270ccbe8d43749e
SHA162bc973af0455c45452b139e6aa1dd898d66e306
SHA25630006f1472757406678fedabb2f8bea131cd070f4b80a8c861207dc4d684871c
SHA5122a18070bdaf810a6e6c117b80cb244a4a2e9539d43a22306d4632071acde27fa0cf06e143e8b9c199e4ae918edcde0d777820fc85086413efd97458b2dcad1c8
-
Filesize
203B
MD50a8ab44ba78003d3b3e9ce9c6d3284db
SHA1d60f18aee0c8ef388c185ae6d857a6293a6d39bf
SHA2566da6e1af935af6630d9ab7dbaf3188f7a3cb88eb868d4c46f20b16da436618d1
SHA512b6222f4a8edaf1f716d7ec9cd85d8e8504a3b1cb26f3dd4d1fb400c428cfaff67d0d1f783c509b1f83723204c26d5bb86ad2068d0a8fd437ab0664581384e3a9
-
Filesize
171B
MD57871a413b0ceddb4a077e4212407ac2c
SHA1b2acc5c3a585959f71dc770864770d51d00515be
SHA256b46659c7d0c276de9160072464582a91f28519c6ae4480fb25551cde7964439c
SHA5121736cfeee16e27f6e59806502d4596f1c634798aa70bfa11da62cefae490d5a8bc62fe2215c113704aa512c7a5eb8c019ba6d8744c2fe83656aacab2500bc234
-
Filesize
2.6MB
MD5bb3214d13e6cceae764f067cbb7955b2
SHA144a2aadddc4fb6e45025369f7a857bcd82f222b9
SHA2565b3d7ac65f360664a58a5e8e0395ba3dfc16cc0fc318efed59f3f9148711e986
SHA512f55609bae070d2bff26e4a3c982de2af606d180073ed2ebbd05bd4def99b9d03173a3486e9ff3c4db602c43dfed0dd06d85d499c7c63d736a42286681f5c3992