Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 15:58
Static task
static1
Behavioral task
behavioral1
Sample
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
Resource
win10v2004-20241007-en
General
-
Target
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
-
Size
2.6MB
-
MD5
485119cab14345a88de5b76cdb10ccd0
-
SHA1
6d30a874aff198919da09984739c24ea6dd85ea9
-
SHA256
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206
-
SHA512
f1d3483d567267362c868b0a28ebbc93dc767c824ccca0fc13bef04245f9a41868ffba9e2261d3d1f1df30c628f278b815ada0d76d19da98d493c693019e0fcf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
Executes dropped EXE 2 IoCs
pid Process 844 locxdob.exe 4928 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe 844 locxdob.exe 844 locxdob.exe 4928 aoptiec.exe 4928 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 980 wrote to memory of 844 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 91 PID 980 wrote to memory of 844 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 91 PID 980 wrote to memory of 844 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 91 PID 980 wrote to memory of 4928 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 92 PID 980 wrote to memory of 4928 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 92 PID 980 wrote to memory of 4928 980 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:844
-
-
C:\SysDrvY1\aoptiec.exeC:\SysDrvY1\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b646265f07f9f16a9eedf6d5027f9e3c
SHA1a47300f0e83643f499e1b7c1be83a375a1293ac7
SHA256d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025
SHA512403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67
-
Filesize
66KB
MD541ed2b6b4209e8da068fa53ac1207294
SHA1fddd5326f0748153756c0148523e53509fafb47e
SHA256e97075c81f3c40e7a71d2763e5cfcbfca9ebea3c8b351ad6e054a999a5738133
SHA512cb960323a40e20183cd5a0b8ea15dc5e7cfeb19bd09641b748a159be9b4901a8bfececf79437e0f2bae7a8c52335267327b57fa54a9e52d4049f653f647a360c
-
Filesize
12KB
MD563a0ef76826092fea4e01baf01c034cd
SHA17928773c93e5415d90fd843aab4e88e2aac63b3e
SHA256352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a
SHA512b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c
-
Filesize
2.6MB
MD540cc9d4f865603f9ec177ad0564b0953
SHA18f0b1c9926c11ff57594cf7df55baa9e36d15df4
SHA256acb6dd53722b28df637cfaceff11ca3340f96b102ce7e93837948a27ae6518fd
SHA51261fe1375d49e52da0124ad25b03cf6ee9229a978337bd47c3e5644b6af7fe2180aa6470e920a0e8409c59e52bf238a7179b9fa4cca4be9c01d1a4fc8ba20b154
-
Filesize
201B
MD5d259cd59da211a5963f7c7745cb9033e
SHA17fdb1c2fa136356e711bff75cf69608592c28474
SHA256fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0
SHA512f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51
-
Filesize
169B
MD5395aed0919abbcedad21936d19aacc03
SHA177d75bdf52c71dba2c6c5bb4cefff4a8e1995915
SHA256a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30
SHA512f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af
-
Filesize
2.6MB
MD584385df35f433f968dba202aac3bfb9c
SHA148ac008afa97c1c975b4e8879c9e7fe0b084286b
SHA25636f2e06d8c8a41b735039d44552da62c1a388f9f96b212ef342b899c1d8ec52f
SHA51247393564ffb2a6c79c532173787d35e6420e9e61d03c828cf22ed1ae9b654b7705f498285b844f2df0c142cd2bb514993bfec8dbc4012776d73bb247f90c99b8