Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
Resource
win10v2004-20241007-en
General
-
Target
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
-
Size
2.6MB
-
MD5
5955894ce47de5b99b03d90389b59250
-
SHA1
c73c95d66795c9c24135a35dbac3fb33fad06291
-
SHA256
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbc
-
SHA512
3b23ff5f5fc766835c7145394677e31440a716b9e4bd6ac1d2f68e2c1eaed2cfb12fac5c1e6e64dd5aa5b15cdb1a4c3b27eebf2d90728a8008be5cf38080d571
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
Executes dropped EXE 2 IoCs
pid Process 2320 sysadob.exe 2888 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC3\\aoptisys.exe" 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLS\\dobxec.exe" 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe 2320 sysadob.exe 2888 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2320 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 29 PID 2348 wrote to memory of 2320 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 29 PID 2348 wrote to memory of 2320 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 29 PID 2348 wrote to memory of 2320 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 29 PID 2348 wrote to memory of 2888 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 30 PID 2348 wrote to memory of 2888 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 30 PID 2348 wrote to memory of 2888 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 30 PID 2348 wrote to memory of 2888 2348 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
C:\IntelprocC3\aoptisys.exeC:\IntelprocC3\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5331e23406f1e0a6b7953ee820c5347cc
SHA1aed20833d129eedaa1ea57146894937875b3fe17
SHA25689f05efdff8a4bfa6308686804b41e1688d185796370df4800fdf3d68ed58430
SHA51293aafe1886edecfe4384139c9081343e394724e64a0179a343258888b32d69ccb742e994f46a4af632315cefa9327be610a5589472e14ea4672a6230b28dca9c
-
Filesize
2.6MB
MD5e065cfacb9ce96e72181f3d3c098c649
SHA1233c392fc02824104567d3574167b5103bc78f48
SHA2560dda325d7359c97bee32c9aba78a9f896e73a170dad600451b0167aea077c1cc
SHA51263a95ac78083313eaf995e3073b1d76dfa1a9838d4bfdcc834ba03358b2b841e9e640fded058ae6efcc9d31692d5aef1afd1dccc3354975410c04b90c21d4a1c
-
Filesize
2.6MB
MD5fc3f560ba33de3dde98fec3d148ad456
SHA1583f98f88865af58a7c91182c77a04aaf3504d68
SHA256080e04dc80c52bb33f7ccbffe0422838f6fef169a313553be025e784c98d2c02
SHA512fb7938d634f2eb9dec407684f26e7b7104c5576f583476496fca8a3f761d4c458f405124448c41f32522bb0744667b7a72bd5f065fe21343639f0d8744afc982
-
Filesize
172B
MD55c45561aafeed9d102057ff1eaa71204
SHA10504ddf5770340c411c47eb950918102cd6a7bb2
SHA256e1685284d4f6a26f72fd86358225398be8938b49f6eaf6ae09d8901c4c1689f3
SHA5122d955ba406708f81bd3f9aae74535df256648f6e39820a4c945f6a0fc2d0e51e9b275cf3ba57a57886d515fedc8c52290567ee6aa6b0c514f22aadab338e727b
-
Filesize
204B
MD5d65abb649d8b4eaf5b54674c20ae74ba
SHA1deeb6e66b960834d4631e3f39d3f0ab52d06229c
SHA256496c7afe025e43f79b3b986c02962c3da212bf7ff180971c53054dcbf2da941e
SHA512535e1f8a0394e58ef84691d9f1e0ff35d694caa6879ea188412622e519259bd639189c4681154528448ddb77f1ba12af2b305e5b6a43702d7c24e3e75885e27a
-
Filesize
2.6MB
MD5ea9ff6ce5e937ec7db51cd811d75fe02
SHA1ca839344255afa489f36b37d04d40fddcb70040b
SHA2565165801607e39a7e3b3f84b110400f614eaa2622de90cc539798a861188ce65c
SHA512dc2335cc5d82b88bbb2170b8e5cd49de094cabb11bec84e56428b0b135155b44138faf2dc1df516c107db5799061003ebf86abfc26d6f8b6fa3ae0d83826d5c9