Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:01

General

  • Target

    06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe

  • Size

    2.6MB

  • MD5

    5d793986e055bf27b3397a43b07db2e0

  • SHA1

    2bdeb33c4dbb5bd946919ff763caf2a6565cb520

  • SHA256

    06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12

  • SHA512

    ff8cce86d8f6db3885257ca4049570bbf01109a2eea7a8c7c6b27dc98949093c3787b3f0ef2e57050bcc350b1ee26267ba3fe88aa1011c101d0ac7f5b2ba3e74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpwbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
    "C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2980
    • C:\SysDrvKO\aoptiloc.exe
      C:\SysDrvKO\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvKO\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          4377fcdc62993ce1dffb5d08714b8b0f

          SHA1

          8d4c68e5e3cb5dcc564b27328b69f47fbacea9f5

          SHA256

          37667a8f28887f184c7b42b92d04aae5089043ba7fcb0bdcd7ba3b084ca45711

          SHA512

          4f3ae57fcac23c6f9fc2725e42fbdabdb2049abd9f033af3263683ad684fbfb708de6680e7ce376ca3baa5c84675982c0dc429c999eb0aae951eef0a30ab06e6

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          b32f01c609a15adaca850ae1807a9332

          SHA1

          25e672f157b0622c010173d1a314293f71a2276f

          SHA256

          8fbb15d9aace682c3128e3139c9d8fb61c1793ee5b4bbc04ab2e198acd994fb2

          SHA512

          f50aa2d8cc63cb78227ebcda421a1bea33fb1536edfe49fc921ba4caa1afcea791afe7bab6305e899c24304564f6ee03981d02d2b99cbd5e30c798418e0ffe2f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          974234e2024a5141e0a3f207ed07773d

          SHA1

          fff2f5f5c51cfb2b88746a21c01a314d50cc2367

          SHA256

          81f4b77294a982108683eefbf9ca858f69c9cef34a792fcbd60f241b9dd606c5

          SHA512

          f20575107544cb961195b1420f3c225fdc99ea11cbe1cae44e50164c0145aef38f70c13f7dc1f32d8e961dccc94267d8db12186455c37cf3b55a43b1d78984d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          a275d69e0bb3d97071782b37a2afffde

          SHA1

          1421f6ea00909aeee0183b80e304c0b8d55f8e39

          SHA256

          6177adfa2373810c9687372cfd415cdf53c16f7c7b4e35e4a4c6046c6373826e

          SHA512

          3e3733f77e668e158735b4903358fa67686bb189c7e46a0b1fedcca56b44a76f0323b2f88fad16b228fd206a8a731dce7bbd033347c0829e65998019c6808d63

        • C:\VidMQ\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          a26010c1243d4924f50bc28f4c9836d3

          SHA1

          15797bfc341cf85bc809e0eeac04704c0dccfa0a

          SHA256

          dfdd5177a6ec3cf2e7aa404dc73384f38d54d03f3275c96f0b36abff7916cd5d

          SHA512

          ca028327e9089759d03b2df5c359eb59c6b85dee38f05c169312d9404843f73d43beaf4ad46f8ffd368e9a2d477d788e2dafd298aa42b1ea9606b91644649e50

        • C:\VidMQ\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          d5c10ee29bb098c28be488ba504faf27

          SHA1

          7d31f467ccb37832e321f8403e2497ab30a1a956

          SHA256

          97fb5838213d13a5864e9ebaa56f363a5d5df39f481d71833a1f9ff39284a985

          SHA512

          814a15ea040b1cdcef37d8c7607a0125333dfa4330a5570b15fad3721008151def9eec7ffa90a7ce2ec2bff66bcbc5f62a0942587b75645741097efd9d4691c5