Analysis

  • max time kernel
    120s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 15:58

General

  • Target

    87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe

  • Size

    2.6MB

  • MD5

    485119cab14345a88de5b76cdb10ccd0

  • SHA1

    6d30a874aff198919da09984739c24ea6dd85ea9

  • SHA256

    87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206

  • SHA512

    f1d3483d567267362c868b0a28ebbc93dc767c824ccca0fc13bef04245f9a41868ffba9e2261d3d1f1df30c628f278b815ada0d76d19da98d493c693019e0fcf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
    "C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:844
    • C:\SysDrvY1\aoptiec.exe
      C:\SysDrvY1\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintOA\optiaec.exe

    Filesize

    6KB

    MD5

    b646265f07f9f16a9eedf6d5027f9e3c

    SHA1

    a47300f0e83643f499e1b7c1be83a375a1293ac7

    SHA256

    d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

    SHA512

    403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

  • C:\MintOA\optiaec.exe

    Filesize

    66KB

    MD5

    41ed2b6b4209e8da068fa53ac1207294

    SHA1

    fddd5326f0748153756c0148523e53509fafb47e

    SHA256

    e97075c81f3c40e7a71d2763e5cfcbfca9ebea3c8b351ad6e054a999a5738133

    SHA512

    cb960323a40e20183cd5a0b8ea15dc5e7cfeb19bd09641b748a159be9b4901a8bfececf79437e0f2bae7a8c52335267327b57fa54a9e52d4049f653f647a360c

  • C:\SysDrvY1\aoptiec.exe

    Filesize

    12KB

    MD5

    63a0ef76826092fea4e01baf01c034cd

    SHA1

    7928773c93e5415d90fd843aab4e88e2aac63b3e

    SHA256

    352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a

    SHA512

    b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c

  • C:\SysDrvY1\aoptiec.exe

    Filesize

    2.6MB

    MD5

    40cc9d4f865603f9ec177ad0564b0953

    SHA1

    8f0b1c9926c11ff57594cf7df55baa9e36d15df4

    SHA256

    acb6dd53722b28df637cfaceff11ca3340f96b102ce7e93837948a27ae6518fd

    SHA512

    61fe1375d49e52da0124ad25b03cf6ee9229a978337bd47c3e5644b6af7fe2180aa6470e920a0e8409c59e52bf238a7179b9fa4cca4be9c01d1a4fc8ba20b154

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    d259cd59da211a5963f7c7745cb9033e

    SHA1

    7fdb1c2fa136356e711bff75cf69608592c28474

    SHA256

    fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0

    SHA512

    f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    395aed0919abbcedad21936d19aacc03

    SHA1

    77d75bdf52c71dba2c6c5bb4cefff4a8e1995915

    SHA256

    a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30

    SHA512

    f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    84385df35f433f968dba202aac3bfb9c

    SHA1

    48ac008afa97c1c975b4e8879c9e7fe0b084286b

    SHA256

    36f2e06d8c8a41b735039d44552da62c1a388f9f96b212ef342b899c1d8ec52f

    SHA512

    47393564ffb2a6c79c532173787d35e6420e9e61d03c828cf22ed1ae9b654b7705f498285b844f2df0c142cd2bb514993bfec8dbc4012776d73bb247f90c99b8